Markus Vervier · Jun 19, 2017 · 3:38 PM UTC

Markus Vervier @marver

19 Jun 2017

This is big research. Stack overflows (exaustion) _are_ exploitable in user space.

Saul Procterm @pozdnychev

19 Jun 2017

Qualys Security Advisory: Stack Clash. 24 CVE, 7 PoCs, 7 LPE exploits; Linux/{Net,Free,Open}BSD/Solaris; i386/amd64: openwall.com/lists/oss-secur…

joernchen · Jun 19, 2017 · 3:44 PM UTC

joernchen @joernchen

19 Jun 2017

turns out it has been around for over a decade

PaX Team @paxteam

19 Jun 2017

An Ancient Kernel Hole is (Not) Closed: grsecurity.net/an_ancient_ke…. A lesson in real non-embargoed security.

Markus Vervier · Jun 19, 2017 · 5:29 PM UTC

Markus Vervier @marver

19 Jun 2017

Yup, what's funny is that we tested vfprintf to jump over the guard page on a grsecurity kernel. :) (even though the post says not affected)

PaX Team · Jun 19, 2017 · 6:02 PM UTC

PaX Team · Jun 19, 2017 · 6:02 PM UTC

PaX Team @paxteam

19 Jun 2017

what guard page? you mean the heap-stack gap?

Jun 19, 2017 · 6:02 PM UTC

Markus Vervier · Jun 19, 2017 · 6:05 PM UTC

Markus Vervier @marver

19 Jun 2017

What we tested is jumping the guard page between two thread stacks in userland. But you probably meant grsec is not affected in kernelland?

Markus Vervier · Jun 19, 2017 · 6:11 PM UTC

Markus Vervier @marver

19 Jun 2017

Which by itself is boring of course. More interesting is common functions in glibc such as vfprintf or realpath have huge stack buffers..