Difference between revisions of "Bug Classes/Stack overflow"

From Linux Kernel Security Subsystem
Jump to navigation Jump to search
(Created page with "= Details = The traditional bug results in the stack buffer being written past the end of the stack frame, which allows the saved instruction pointer to be overwritten in orde...")
 
Line 4: Line 4:
= Examples =
= Examples =


* [https://jon.oberheide.org/files/half-nelson.c half-nelson.c] This uses stack offsets, rather than the traditional buffer overflow.
* [https://jon.oberheide.org/files/half-nelson.c half-nelson.c] This uses stack offsets, rather than the traditional buffer overflow.


= Mitigations =
= Mitigations =


* stack canaries (e.g. gcc's -fstack-protector and -fstack-protector-strong)
* stack canaries (e.g. gcc's -fstack-protector and [https://git.kernel.org/linus/8779657d29c0ebcc0c94ede4df2f497baf1b563f -fstack-protector-strong])
* kernel stack location randomization
* kernel stack location randomization
* shadow stacks
* shadow stacks

Revision as of 21:35, 4 November 2015

Details

The traditional bug results in the stack buffer being written past the end of the stack frame, which allows the saved instruction pointer to be overwritten in order to gain execution control. Other attacks could stay within the stack frame, manipulating local variables ("data only" attacks). Some attacks allow for arbitrary offsets between kernel stacks to be written.

Examples

  • half-nelson.c This uses stack offsets, rather than the traditional buffer overflow.

Mitigations

  • stack canaries (e.g. gcc's -fstack-protector and -fstack-protector-strong)
  • kernel stack location randomization
  • shadow stacks