Hello, on http://lists.suse.com/archive/suse-security/2003-Dec/0051.html I read that the SuSE 9.0 update kernel contains Stack Overflow Protection. I tested this with a short example from an article in the German computer magazine c't ("Das Sicherheitsloch", c't 23/2001, p. 216) 1 void function(int a, int b, int c) { 2 char buffer1[8]; 3 char buffer2[16]; 4 int *ret; 5 6 ret = buffer1 + 12; 7 (*ret) += 8; 8 } 9 10 void main() { 11 int x; 12 13 x = 0; 14 function(1,2,3); 15 x = 1; 16 printf("%d\n",x); 17 } On SuSE 9.0 this produces "1", which is correct, on an old machine it produces "0", which is incorrect. My questions are now: 1. Does this protection have any disadvantages? 2. Will it be included in future versions of the vanilla kernel? 3. Why is this a "hidden feature"? Why doesn't SuSE let the people know that they've included this stack overflow protection? Regards, Bernhard
On Sat, Dec 06, 2003 at 01:09:51AM +0100, Bernhard Walle wrote:
This is completely unrelated to this kernel feature. If current SUSE does this "right" for you, then this is only because you are lucky and gcc does stack allocation in a way that this crappy C-Code does no harm (in this case). But this is just good luck.
My questions are now:
1. Does this protection have any disadvantages?
It takes some performance.
2. Will it be included in future versions of the vanilla kernel?
It _is_ in the vanilla kernel.
3. Why is this a "hidden feature"? Why doesn't SuSE let the people know that they've included this stack overflow protection?
It is not hidden. It is in the changelogs. They cannot do announcements for every kernel config option they change. Robert -- Robert Schiele Tel.: +49-621-181-2517 Dipl.-Wirtsch.informatiker mailto:rschiele@uni-mannheim.de
On Sat, 06 Dec 2003 at 01:37 (+0100), Robert Schiele wrote:
Ok, then I misunderstood something. I thought the Linux kernel Stack overflow protection does something similar like OpenBSD but they modified gcc (ProPolice) and I wondered a bit. But: What does the Kernel Stack Protection do, where can I read something about this? Gruß, Bernhard -- _________ http://www.bwalle.de _________________________________________________ Der Mensch erfand die Atombombe, doch keine Maus der Welt würde eine Mausefalle konstruieren -- Albert Einstein
On Sat, Dec 06, 2003 at 12:33:04PM +0100, Bernhard Walle wrote:
But: What does the Kernel Stack Protection do, where can I read something about this?
It just does a quick check on every hardware interrupt whether there is less than 1KB of stack space free, and if this is the case, prints a warning message. The code for this is quite simple. For example everything for i386 architecture is: long esp; /* Debugging check for stack overflow: is there less than 1KB free? */ __asm__ __volatile__("andl %%esp,%0" : "=r" (esp) : "0" (8191)); if (unlikely(esp < (sizeof(struct task_struct) + sysctl_stackwarn))) { static unsigned long next_jiffies; /* ratelimiting */ static long least_esp = THREAD_SIZE; if (time_after(jiffies, next_jiffies) || (esp < least_esp)) { least_esp = esp; next_jiffies = jiffies + 5*HZ; printk("WARNING: do_IRQ: near stack overflow: %ld\n", esp - sizeof(struct task_struct)); dump_stack(); } } This next_jiffies stuff is just to prevent that the same message is printed hundreds of thousand times in a row. Robert -- Robert Schiele Tel.: +49-621-181-2517 Dipl.-Wirtsch.informatiker mailto:rschiele@uni-mannheim.de
On Sat, 6 Dec 2003 12:33:04 +0100, Bernhard Walle <Bernhard.Walle@gmx.de> wrote:
But: What does the Kernel Stack Protection do, where can I read something about this?
.... google for it or look in the 'kernel' (and 'device driver') books from oreilly . -- /// Michael J. Tobler: motorcyclist, surfer, skydiver, \\\ \\\ and author: "Inside Linux", "C++ HowTo", "C++ Unleashed" /// Cabbage, n.: A familiar kitchen-garden vegetable about as large and wise as a man's head. "The Devil's Dictionary"
On Sat, Dec 06, 2003 at 01:09:51AM +0100, Bernhard Walle wrote:
These are entirely unrelated things. What your sample code is about is a buffer overflow on the stack. The kernel feature that got enabled is just a kernel feature that prevents the kernel stack from overflowing. (Each process uses a separate stack page when entering kernel space. This stack page is 4K in size, and if you recurse too deeply, you may need more than 4K of stack and consequently scribble over other memory located before the start of that page. The CONFIG_DEBUG_STACKOVERFLOW kernel option enables a run-time check that spits out a warning if that happens). Olaf -- Olaf Kirch | Stop wasting entropy - start using predictable okir@suse.de | tempfile names today! ---------------+
On Sat, Dec 06, 2003 at 01:09:51AM +0100, Bernhard Walle wrote:
This is completely unrelated to this kernel feature. If current SUSE does this "right" for you, then this is only because you are lucky and gcc does stack allocation in a way that this crappy C-Code does no harm (in this case). But this is just good luck.
My questions are now:
1. Does this protection have any disadvantages?
It takes some performance.
2. Will it be included in future versions of the vanilla kernel?
It _is_ in the vanilla kernel.
3. Why is this a "hidden feature"? Why doesn't SuSE let the people know that they've included this stack overflow protection?
It is not hidden. It is in the changelogs. They cannot do announcements for every kernel config option they change. Robert -- Robert Schiele Tel.: +49-621-181-2517 Dipl.-Wirtsch.informatiker mailto:rschiele@uni-mannheim.de
On Sat, 06 Dec 2003 at 01:37 (+0100), Robert Schiele wrote:
Ok, then I misunderstood something. I thought the Linux kernel Stack overflow protection does something similar like OpenBSD but they modified gcc (ProPolice) and I wondered a bit. But: What does the Kernel Stack Protection do, where can I read something about this? Gruß, Bernhard -- _________ http://www.bwalle.de _________________________________________________ Der Mensch erfand die Atombombe, doch keine Maus der Welt würde eine Mausefalle konstruieren -- Albert Einstein
On Sat, Dec 06, 2003 at 12:33:04PM +0100, Bernhard Walle wrote:
But: What does the Kernel Stack Protection do, where can I read something about this?
It just does a quick check on every hardware interrupt whether there is less than 1KB of stack space free, and if this is the case, prints a warning message. The code for this is quite simple. For example everything for i386 architecture is: long esp; /* Debugging check for stack overflow: is there less than 1KB free? */ __asm__ __volatile__("andl %%esp,%0" : "=r" (esp) : "0" (8191)); if (unlikely(esp < (sizeof(struct task_struct) + sysctl_stackwarn))) { static unsigned long next_jiffies; /* ratelimiting */ static long least_esp = THREAD_SIZE; if (time_after(jiffies, next_jiffies) || (esp < least_esp)) { least_esp = esp; next_jiffies = jiffies + 5*HZ; printk("WARNING: do_IRQ: near stack overflow: %ld\n", esp - sizeof(struct task_struct)); dump_stack(); } } This next_jiffies stuff is just to prevent that the same message is printed hundreds of thousand times in a row. Robert -- Robert Schiele Tel.: +49-621-181-2517 Dipl.-Wirtsch.informatiker mailto:rschiele@uni-mannheim.de
On Sat, 6 Dec 2003 12:33:04 +0100, Bernhard Walle <Bernhard.Walle@gmx.de> wrote:
But: What does the Kernel Stack Protection do, where can I read something about this?
.... google for it or look in the 'kernel' (and 'device driver') books from oreilly . -- /// Michael J. Tobler: motorcyclist, surfer, skydiver, \\\ \\\ and author: "Inside Linux", "C++ HowTo", "C++ Unleashed" /// Cabbage, n.: A familiar kitchen-garden vegetable about as large and wise as a man's head. "The Devil's Dictionary"
On Sat, Dec 06, 2003 at 01:09:51AM +0100, Bernhard Walle wrote:
These are entirely unrelated things. What your sample code is about is a buffer overflow on the stack. The kernel feature that got enabled is just a kernel feature that prevents the kernel stack from overflowing. (Each process uses a separate stack page when entering kernel space. This stack page is 4K in size, and if you recurse too deeply, you may need more than 4K of stack and consequently scribble over other memory located before the start of that page. The CONFIG_DEBUG_STACKOVERFLOW kernel option enables a run-time check that spits out a warning if that happens). Olaf -- Olaf Kirch | Stop wasting entropy - start using predictable okir@suse.de | tempfile names today! ---------------+
participants (5)
-
Bernhard Walle
-
Bernhard Walle
-
mjt
-
Olaf Kirch
-
Robert Schiele