Stack clash

Stack clash is a vulnerability published in June 2017 by Qualys.

As mentioned in their detailed advisory, this is actually an old vulnerability, with a first public exploit by Gael Delalleau, dating back to 2005, and as mentioned on grsecurity’s article An Ancient Kernel Hole is (Not) Closed, there was even a patch available in 2004 to mitigate it.

In August 2010, Linus Torvald added a 4k guard page between the heap and the stack in the Linux kernel as a possible mitigation.

Unfortunately, this wasn’t enough to mitigate the issue, since it’s possible to jump over the guard page.

The 18th of May 2017, violating the embargo, OpenBSD added a 1MB guard page.

The 19th of June, at the end of the embargo, Hugh Dickins from Google also added a 1MB guard in Linux, Joerg Sonnenberger did the same for NetBSD.

It’s interesting to note that grsecurity wasn’t vulnerable.

In Qualy’s advisory, -fstack-check was recommended as a better mitigation, but apparently it’s also suboptimal. The -fstack-clash-protection option, added in gcc8, taking inspiration from Microsoft’s Windows (which was never affected), is the best solution. It’s currently enabled since Fedora 28, SUSE 15, … and will be enabled by default in Ubuntu 19.10, but not in Debian. OpenBSD’s fork of gcc is too old to have this feature backported, and as for clang, it’s not there yet.