| 1 |
El 21/06/17 a las 01:02, "Tóth Attila" escribió: |
| 2 |
> https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt |
| 3 |
> The advisory suggests: |
| 4 |
> 1. Increase the size of the stack guard-page to at least 1MB |
| 5 |
> - I skip this point |
| 6 |
> 2. Recompile all userland code with GCC's "-fstack-check" option |
| 7 |
> - I checked current and recent gcc versions. |
| 8 |
> |
| 9 |
> 6.3.0 seems to be fine: |
| 10 |
> gcc version 6.3.0 (Gentoo Hardened 6.3.0 p1.0) |
| 11 |
> gcc -dumpspecs | grep -B 1 stack-check |
| 12 |
> *cc1: |
| 13 |
> %{!mandroid|tno-android-cc:%(cc1_cpu) %{profile:-p};:%(cc1_cpu) |
| 14 |
> %{profile:-p} %{!mglibc:%{!muclibc:%{!mbionic: -mbionic}}} |
| 15 |
> %{!fno-pic:%{!fno-PIC:%{!fpic:%{!fPIC: |
| 16 |
> -fPIC}}}}}%{fstack-check|fstack-check=*:;: -fstack-check} |
| 17 |
> |
| 18 |
> 5.4.0 also looks fine: |
| 19 |
> gcc version 5.4.0 (Gentoo Hardened 5.4.0-r3 p1.3, pie-0.6.5) |
| 20 |
> gcc -dumpspecs | grep -B 1 stack-check |
| 21 |
> *esp_cc1_ssp: |
| 22 |
> %{!fno-stack-protector: %{!fno-stack-protector-all: %{!fno-stack-check: }}} |
| 23 |
> -- |
| 24 |
> *esp_options_ssp: |
| 25 |
> %{nostdlib|ffreestanding|fno-stack-protector|fstack-protector| |
| 26 |
> fstack-protector-all|fstack-protector-strong:;:-fstack-protector-all} |
| 27 |
> %{fstack-check|fstack-check=*:;: -fstack-check} |
| 28 |
> |
| 29 |
> I assume it is OK like this. |
| 30 |
> Please confirm this conclusion. |
| 31 |
> Thx: Dw. |
| 32 |
|
| 33 |
Stack-check is enabled since (at least) 4.8.4. But you'll need to have |
| 34 |
recompiled the whole system with stack-check enabled so it will work as |
| 35 |
it should as commented on |
| 36 |
https://gcc.gnu.org/ml/gcc-patches/2017-06/msg01343.html |
| 37 |
|
| 38 |
I'm working on preparing a statement we can publish on behalf of the |
| 39 |
project, but I'm unsure when it'll be ready. |
Archives