Bug Classes/Stack overflow

From Linux Kernel Security Subsystem

Revision as of 21:44, 4 November 2015 by KeesCook (talk | contribs) (→‎Mitigations)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

Details

The traditional bug results in the stack buffer being written past the end of the stack frame, which allows the saved instruction pointer to be overwritten in order to gain execution control. Other attacks could stay within the stack frame, manipulating local variables ("data only" attacks). Some attacks allow for arbitrary offsets between kernel stacks to be written.

Examples

half-nelson.c This uses stack offsets, rather than the traditional buffer overflow.

Mitigations

stack canaries (e.g. gcc's -fstack-protector and -fstack-protector-strong)
guard pages (e.g. GRKERNSEC_KSTACKOVERFLOW)
alloca checking (e.g. PAX_MEMORY_STACKLEAK)
kernel stack location randomization
shadow stacks

Retrieved from "http://kernsec.org/wiki/index.php?title=Bug_Classes/Stack_overflow&oldid=3725"