Difference between revisions of "Bug Classes/Stack overflow"

From Linux Kernel Security Subsystem
Jump to navigation Jump to search
 
Line 1: Line 1:
= Details =
= Details =
The traditional bug results in the stack buffer being written past the end of the stack frame, which allows the saved instruction pointer to be overwritten in order to gain execution control ("stack buffer overflow"). A stack depth overflow bug is when the size of the stack grows past its maximal size (via deep call stacks or via alloca abuse), and allows writing on other stacks or threadinfo. Other attacks could stay within the stack frame, manipulating local variables ("data only" attacks), and some attacks allow for writing by arbitrary offsets between kernel stacks.
The traditional bug results in the stack buffer being written past the end of the stack frame, which allows the saved instruction pointer to be overwritten in order to gain execution control ("stack buffer overflow"). A stack depth overflow bug is when the size of the stack grows past its maximal size (via deep call stacks or via alloca abuse), and allows writing on other stacks or threadinfo. Other attacks could stay within the stack frame, manipulating local variables ("data only" attacks), and some attacks allow for writing by arbitrary offsets between kernel stacks.



Latest revision as of 21:48, 4 November 2015

Details

The traditional bug results in the stack buffer being written past the end of the stack frame, which allows the saved instruction pointer to be overwritten in order to gain execution control ("stack buffer overflow"). A stack depth overflow bug is when the size of the stack grows past its maximal size (via deep call stacks or via alloca abuse), and allows writing on other stacks or threadinfo. Other attacks could stay within the stack frame, manipulating local variables ("data only" attacks), and some attacks allow for writing by arbitrary offsets between kernel stacks.

Examples

  • half-nelson.c This uses stack offsets, rather than the traditional buffer overflow.

Mitigations

  • stack canaries (e.g. gcc's -fstack-protector and -fstack-protector-strong)
  • guard pages (e.g. GRKERNSEC_KSTACKOVERFLOW)
  • alloca checking (e.g. PAX_MEMORY_STACKLEAK)
  • kernel stack location randomization
  • shadow stacks