1 |
El 21/06/17 a las 01:02, "Tóth Attila" escribió: |
2 |
> https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt |
3 |
> The advisory suggests: |
4 |
> 1. Increase the size of the stack guard-page to at least 1MB |
5 |
> - I skip this point |
6 |
> 2. Recompile all userland code with GCC's "-fstack-check" option |
7 |
> - I checked current and recent gcc versions. |
8 |
> |
9 |
> 6.3.0 seems to be fine: |
10 |
> gcc version 6.3.0 (Gentoo Hardened 6.3.0 p1.0) |
11 |
> gcc -dumpspecs | grep -B 1 stack-check |
12 |
> *cc1: |
13 |
> %{!mandroid|tno-android-cc:%(cc1_cpu) %{profile:-p};:%(cc1_cpu) |
14 |
> %{profile:-p} %{!mglibc:%{!muclibc:%{!mbionic: -mbionic}}} |
15 |
> %{!fno-pic:%{!fno-PIC:%{!fpic:%{!fPIC: |
16 |
> -fPIC}}}}}%{fstack-check|fstack-check=*:;: -fstack-check} |
17 |
> |
18 |
> 5.4.0 also looks fine: |
19 |
> gcc version 5.4.0 (Gentoo Hardened 5.4.0-r3 p1.3, pie-0.6.5) |
20 |
> gcc -dumpspecs | grep -B 1 stack-check |
21 |
> *esp_cc1_ssp: |
22 |
> %{!fno-stack-protector: %{!fno-stack-protector-all: %{!fno-stack-check: }}} |
23 |
> -- |
24 |
> *esp_options_ssp: |
25 |
> %{nostdlib|ffreestanding|fno-stack-protector|fstack-protector| |
26 |
> fstack-protector-all|fstack-protector-strong:;:-fstack-protector-all} |
27 |
> %{fstack-check|fstack-check=*:;: -fstack-check} |
28 |
> |
29 |
> I assume it is OK like this. |
30 |
> Please confirm this conclusion. |
31 |
> Thx: Dw. |
32 |
|
33 |
Stack-check is enabled since (at least) 4.8.4. But you'll need to have |
34 |
recompiled the whole system with stack-check enabled so it will work as |
35 |
it should as commented on |
36 |
https://gcc.gnu.org/ml/gcc-patches/2017-06/msg01343.html |
37 |
|
38 |
I'm working on preparing a statement we can publish on behalf of the |
39 |
project, but I'm unsure when it'll be ready. |