Re: [PATCH] mm: larger stack guard gap, between vmas

From: Willy Tarreau
Date: Wed Jul 05 2017 - 16:41:27 EST


On Wed, Jul 05, 2017 at 08:32:43PM +0100, Ben Hutchings wrote:
> >  - As a hardening feature, if the stack would expand within 64k or
> > whatever of a non-MAP_FIXED mapping, refuse to expand it.  (This might
> > have to be a non-hinted mapping, not just a non-MAP_FIXED mapping.)
> > The idea being that, if you deliberately place a mapping under the
> > stack, you know what you're doing.  If you're like LibreOffice and do
> > something daft and are thus exploitable, you're on your own.
> >  - As a hardening measure, don't let mmap without MAP_FIXED position
> > something within 64k or whatever of the bottom of the stack unless a
> > MAP_FIXED mapping is between them.
>
> Having tested patches along these lines, I think the above would avoid
> the reported regressions.

Stuff like this has already been proposed but Linus suspects that more
software than we imagine uses MAP_FIXED and could break. I cannot infirm
nor confirm, and that probably indicates that there's nothing fundamentally
wrong with this approach from the userland's perspective and that it could
indeed imply such software may be more common than we would like it.

Willy