mm: larger stack guard gap, between vmas
Stack guard page is a useful feature to reduce a risk of stack smashing into a different mapping. We have been using a single page gap which is sufficient to prevent having stack adjacent to a different mapping. But this seems to be insufficient in the light of the stack usage in userspace. E.g. glibc uses as large as 64kB alloca() in many commonly used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX] which is 256kB or stack strings with MAX_ARG_STRLEN. This will become especially dangerous for suid binaries and the default no limit for the stack size limit because those applications can be tricked to consume a large portion of the stack and a single glibc call could jump over the guard page. These attacks are not theoretical, unfortunatelly. Make those attacks less probable by increasing the stack guard gap to 1MB (on systems with 4k pages; but make it depend on the page size because systems with larger base pages might cap stack allocations in th...
Showing
- Documentation/admin-guide/kernel-parameters.txt 7 additions, 0 deletionsDocumentation/admin-guide/kernel-parameters.txt
- arch/arc/mm/mmap.c 1 addition, 1 deletionarch/arc/mm/mmap.c
- arch/arm/mm/mmap.c 2 additions, 2 deletionsarch/arm/mm/mmap.c
- arch/frv/mm/elf-fdpic.c 1 addition, 1 deletionarch/frv/mm/elf-fdpic.c
- arch/mips/mm/mmap.c 1 addition, 1 deletionarch/mips/mm/mmap.c
- arch/parisc/kernel/sys_parisc.c 9 additions, 6 deletionsarch/parisc/kernel/sys_parisc.c
- arch/powerpc/mm/hugetlbpage-radix.c 1 addition, 1 deletionarch/powerpc/mm/hugetlbpage-radix.c
- arch/powerpc/mm/mmap.c 2 additions, 2 deletionsarch/powerpc/mm/mmap.c
- arch/powerpc/mm/slice.c 1 addition, 1 deletionarch/powerpc/mm/slice.c
- arch/s390/mm/mmap.c 2 additions, 2 deletionsarch/s390/mm/mmap.c
- arch/sh/mm/mmap.c 2 additions, 2 deletionsarch/sh/mm/mmap.c
- arch/sparc/kernel/sys_sparc_64.c 2 additions, 2 deletionsarch/sparc/kernel/sys_sparc_64.c
- arch/sparc/mm/hugetlbpage.c 1 addition, 1 deletionarch/sparc/mm/hugetlbpage.c
- arch/tile/mm/hugetlbpage.c 1 addition, 1 deletionarch/tile/mm/hugetlbpage.c
- arch/x86/kernel/sys_x86_64.c 2 additions, 2 deletionsarch/x86/kernel/sys_x86_64.c
- arch/x86/mm/hugetlbpage.c 1 addition, 1 deletionarch/x86/mm/hugetlbpage.c
- arch/xtensa/kernel/syscall.c 1 addition, 1 deletionarch/xtensa/kernel/syscall.c
- fs/hugetlbfs/inode.c 1 addition, 1 deletionfs/hugetlbfs/inode.c
- fs/proc/task_mmu.c 0 additions, 4 deletionsfs/proc/task_mmu.c
- include/linux/mm.h 25 additions, 28 deletionsinclude/linux/mm.h
Please register or sign in to comment