Bug Classes/Stack overflow

From Linux Kernel Security Subsystem
(Difference between revisions)
Jump to: navigation, search
(Details)
 
Line 1: Line 1:
 
= Details =
 
= Details =
 +
 
The traditional bug results in the stack buffer being written past the end of the stack frame, which allows the saved instruction pointer to be overwritten in order to gain execution control ("stack buffer overflow"). A stack depth overflow bug is when the size of the stack grows past its maximal size (via deep call stacks or via alloca abuse), and allows writing on other stacks or threadinfo. Other attacks could stay within the stack frame, manipulating local variables ("data only" attacks), and some attacks allow for writing by arbitrary offsets between kernel stacks.
 
The traditional bug results in the stack buffer being written past the end of the stack frame, which allows the saved instruction pointer to be overwritten in order to gain execution control ("stack buffer overflow"). A stack depth overflow bug is when the size of the stack grows past its maximal size (via deep call stacks or via alloca abuse), and allows writing on other stacks or threadinfo. Other attacks could stay within the stack frame, manipulating local variables ("data only" attacks), and some attacks allow for writing by arbitrary offsets between kernel stacks.
  

Latest revision as of 21:48, 4 November 2015

[edit] Details

The traditional bug results in the stack buffer being written past the end of the stack frame, which allows the saved instruction pointer to be overwritten in order to gain execution control ("stack buffer overflow"). A stack depth overflow bug is when the size of the stack grows past its maximal size (via deep call stacks or via alloca abuse), and allows writing on other stacks or threadinfo. Other attacks could stay within the stack frame, manipulating local variables ("data only" attacks), and some attacks allow for writing by arbitrary offsets between kernel stacks.

[edit] Examples

  • half-nelson.c This uses stack offsets, rather than the traditional buffer overflow.

[edit] Mitigations

  • stack canaries (e.g. gcc's -fstack-protector and -fstack-protector-strong)
  • guard pages (e.g. GRKERNSEC_KSTACKOVERFLOW)
  • alloca checking (e.g. PAX_MEMORY_STACKLEAK)
  • kernel stack location randomization
  • shadow stacks
Personal tools
Namespaces

Variants
Actions
Navigation
Tools