Ask / Submit
7

larger stack guard gap, between vmas in kernel-mm and glibc CVE-2017-1000364 CVE-2017-1000365 (aka Stack Clash)

Tracked by Jolla (In progress)

asked 2017-06-29 12:32:21 +0200

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-10-05 15:49:02 +0200

lpr gravatar image

An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010).

The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23.

Patches upstream |1| |2| have to be backported to 3.4.108 (maybe look at kernel 3.2 backports |1| |2| )...

CVSS v3 Base Score: 9.8 Critical 7.8 High (attack range: local)

|the 2nd part of stack-clash is a glibc vulnerability CVE-2017-1000366 and requires glibc update| <- released in Jämsänjoki 2.1.1 / Kiiminkijoki 2.1.2

edit retag flag offensive close delete

Comments

The updated kernel/glibc packages for distributions like RHEL have issues (some software packages refuse to start after upgrading the kernel) so a fix for SFOS needs thorough testing and perhaps picking the most compatible fix for the problem. See https://bugzilla.redhat.com/show_bug.cgi?id=1463241 or https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865311 for details on problematic fixes for the vulnerability.

Maus ( 2017-06-29 19:08:10 +0200 )edit
1

now, jolla should be able to patch....

lpr ( 2017-10-05 15:08:51 +0200 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2017-07-04 17:01:38 +0200

Daeto gravatar image

updated 2017-10-05 14:56:03 +0200

WAS DELETED. PLEASE READ THE COMMENTS UNDER THE POST

I built glibc using last source code from https://git.merproject.org/mer-core/glibc. Plese test and give me feedback: https://openrepos.net/content/lourens/glibc

edit flag offensive delete publish link more

Comments

1

but don't claim cve-2014-9761 to be patched: it's not! And therefore it doesn't fix MR#1633 but MER#1789

lpr ( 2017-07-05 10:53:50 +0200 )edit

lpr, and what do you think about: https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt ? Jolla have OpenSSH 7.1p2

Daeto ( 2017-07-05 11:24:26 +0200 )edit

@Daeto now you should remove your eglibc packets on openrepos as jolla-official ones entered public repo http://repo.merproject.org/obs/mer:/core/latest_armv7hl/armv7hl/

lpr ( 2017-10-05 14:45:42 +0200 )edit

@lpr was deleted.

Daeto ( 2017-10-05 14:53:39 +0200 )edit
Login/Signup to Answer

Question tools

Follow
2 followers

Stats

Asked: 2017-06-29 12:32:21 +0200

Seen: 344 times

Last updated: Oct 05