Comments (2)
thestinger
commented on July 30, 2024
1
As I remember, SCHED_STACK_END_CHECK checks the magic value at the end of the kernel thread stack, and VMAP_STACK adds guard pages near it. So they do a bit different things, but VMAP_STACK is more reliable.
Yes, SCHED_STACK_END_CHECK checks a magic value at certain times such as exiting the kernel back to userspace, at which point the exploit can already have succeeded. The attacker may also have been able to clobber the value so that it's not detected. VMAP_STACK directly detects it with memory protection, which combined with making sure no large stack frames or VLAs exist prevents an overflow past the guard.
from kconfig-hardened-check.
a13xp0p0v
commented on July 30, 2024
Hello @thestinger,
As I remember, SCHED_STACK_END_CHECK checks the magic value at the end of the kernel thread stack, and VMAP_STACK adds guard pages near it. So they do a bit different things, but VMAP_STACK is more reliable.
I agree with your point.
Added the commit c0fc9e8.
from kconfig-hardened-check.
Related Issues (20)
- CONFIG_COMPAT_VDSO has a completely different meaning for arm64 and recommending disabling it doesn't make sense there HOT 3
- CONFIG_ARCH_MMAP_RND_BITS check is wrong for arm64 HOT 3
- drop check for dependency-only CONFIG_GCC_PLUGINS due to Clang HOT 3
- add disabling CONFIG_AIO (legacy POSIX AIO) as a recommendation HOT 1
- add check for CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x0 too HOT 4
- add check for UNWIND_PATCH_PAC_INTO_SCS, which reduces security compared to using both PAC + SCS HOT 4
- Minimal kernel version ? HOT 1
- New CONFIG_MODULE_SIG_SHA3_512 option in kernel 6.7 HOT 1
- Better json output HOT 4
- Add io_uring_disabled sysctl to disable/limit io_uring creation
- Reducing Kernel Symbols on File System by Disabling CONFIG_VMLINUX_MAP and CONFIG_DEBUG_KERNEL HOT 2
- Kernel Debug Metadata Access with CONFIG_DYNAMIC_DEBUG HOT 3
- Add ia32_emulation kernel cmdline parameter to disable 32-bit emulation support on 64-bit x86 CPUs HOT 1
- False positive on CONFIG_REFCOUNT_FULL in recent 5.4.x kernels HOT 1
- new make hardening.config available HOT 2
- Check for module force loading? HOT 1
- new tag? HOT 2
- Get rid of CONFIG_DEBUG_CREDENTIALS HOT 3
- skip CONFIG_DEBUG_NOTIFIERS requirement when CONFIG_CFI_CLANG is set with CONFIG_CFI_PERMISSIVE disabled HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kconfig-hardened-check.