Does the RLIMIT_STACK bug you're hinting at has any real-life relevance for @grsecurity kernels?
-
-
-
I didn't try, but it should make Stack Clash easier to hit on old grsecurity since the memory layout becomes controllable again
-
Actually, what memory layout becomes controllable again?
-
legacy bottom-up vs regular top-down mmap layout, see IV.1.1, IV.1.4, IV.1.5. IV.1.6 misses this, so the analysis is incomplete.
-
Well, IV.1.1-5 of the Qualys analysis covers the behaviour of *vanilla* Linux, not grsec. Don't mix that up!
-
All of the described attacks require passing large argv[] + envp[] to the SUID binary. However, grsec limits them to 512kB.
-
For the sudo vulnerability (allowing to work-around even this restriction) the advisory states an "exploitation [is] impossible".
-
So even without the 8 MB RLIMIT_STACK restriction in place, grsec has other mechanisms making 'Stack Clash' kind of attacks infeasible:pic.twitter.com/GZA1uDElZI
- 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.