From: Szabolcs Nagy <nsz@port70.net>
To: musl@lists.openwall.com
Subject: Re: stack clash in musl?
Date: Wed, 12 Jul 2017 20:03:09 +0200 [thread overview]
Message-ID: <20170712180308.GE10974@port70.net> (raw)
In-Reply-To: <20170712145202.7yi7425la7a2cw6t@smitten>
* Tycho Andersen <tycho@docker.com> [2017-07-12 08:52:02 -0600]:
> It looks like there were some bugs that affected glibc in the recent
> stack clash wave of issues:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366
>
> I guess musl wouldn't be vulnerable to this since it ignores
> LD_LIBRARY_PATH for setuid binaries. I'm curious if anyone else has
> thought about if there are ways to exploit musl using a stack clash?
to jump across a guard page you need >pagesize sp adjustment
without intermediate memory access, in musl very few functions
use >4k stack, this can be easily verified.
e.g. on aarch64 the only instructions that allow sp to be
adjusted by more than 4k are add, sub, mov (+bitwise operations,
but those are not used on sp other than for alignment)
so after a quick grep of aarch64 libc.so disasm here is the list
of functions you should look out for:
BF_crypt.part.0
__dls2
__dls3
__execvpe
__netlink_enumerate
_longjmp
dcngettext
decfloat
execl
execle
execlp
fmt_fp
getcwd
load_library
match_in_dir
nftw
realpath
tempnam
it is guaranteed that no other function can be used for exploit
and even some of these are false positives or barely go above 4k
(which makes exploitation hard), it is also not possible to use
libc functions to grow the stack closer to the heap: only nftw
and regcomp may use more than 10k stack and they have bounded
stack usage too.
tl;dr stack clash does not affect musl (it might affect
application code outside of musl so a musl libc based system
may be still affected).
next prev parent reply other threads:[~2017-07-12 18:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-12 14:52 Tycho Andersen
2017-07-12 18:03 ` Szabolcs Nagy [this message]
2017-07-12 19:24 ` Szabolcs Nagy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170712180308.GE10974@port70.net \
--to=nsz@port70.net \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).