SUSE products and a new security bug class referred to as "Stack Clash".
This document (7020973) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12 Service Pack 1 LTSS (SLES 12 SP1 LTSS)
SUSE Linux Enterprise Server 12 GA LTSS (SLES 12 GA LTSS)
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 3 LTSS (SLES 11 SP3 LTSS)
SUSE Linux Enterprise Server 10 Service Pack 4 LTSS (SLES 10 SP4 LTSS)
Expanded support 7 (RES7)
Expanded support 6 (RES6)
Expanded support 5 (RES5)
Situation
A new class of vulnerabilities
have been identified under the umbrella name "Stack
Smashing".
This bug class exploits a weakness in the
address space model of operating systems like Linux.
How does it work...
The programs in operating
systems use a so called stack for storing variables and return
addresses used in functions. The stack grows depending on the amount
of variables used and the depth of the called function tree. The
growth direction is also special, on most platforms it grows
downwards.
As the stack shares the same address space with the
regular program, heap and libraries and other program memory regions
care needs to be taken that the automatic growing stack does not
collide with other memory regions.
For this some years ago a
"stack guard gap" page of 4KB was introduced, that is also
used for automatic growing the stack if a stack memory access goes
into the guard page.
The security research company Qualys has
identified that in some libraries and programs under specific
conditions the stack pointer can "jump over" this 4KB stack
guard page and proceed below it or even overwrite memory areas
positioned there.
This can for happen with large arrays on the
stack over 4KB which are accessed only in some places, or by programs
using the alloca() function to get
stack memory that is also not accessed fully.
This grown stack
could then be made to "smash" into other memory areas,
containing code, data, function pointers or similar and which in turn
could be used to execute code.
Note that these problems are
not bugs in the programs, libraries or the kernel themselves, but
caused by vague interpretation of the stack grow magic ABI between
the compiler and kernel.
To mitigate this class of attacks we will be doing the following :
- Linux Kernels are being released immediately.
The kernel updates will
increase the stack gap size to be much larger (1 MB / 16 MB),
which should mitigate most of the cases found during research.
This
mitigation is tracked under CVE-2017-1000364
Note : The initial release of kernel updates caused regression in some programs, especially some programs using Java. Incremental kernel updates are being released to address this issue.
- glibc packages are being released immediately.
glibc itself contains several
cases of being able to effect these stack jumps, happening even
before a binary is loaded in the dynamic loader.
When used with
setuid root binaries these could be used to escalate privilege from
user to root using stack smashing.
This security fix is tracked under
CVE-2017-1000366
- gcc (GNU Compiler Collection) updates will be released in the near future.
These updates will feature a
flag that enables touching all stack memory pages when dynamic large
stack allocations are done, to avoid having large jumps.
Note that
as the stack code is directly built into the libraries and binaries,
recompiling packages is necessary to make it effective.
- Various applications might be updated in the near future.
We will identify and release updates for various applications that have such stack usage patterns and rebuild them with the new gcc compiler flag.
Resolution
SUSE has released the following fixed kernel versions:
SLES 12 SP2:4.4.59-92.20.2 initial kernel released Monday, 19th of June 2017SLES 12 SP1 LTSS:
4.4.59-92.42.2 incremental kernel update released Wednesday, 28th of June .3.12.74-60.64.45.1 initial kernel released Monday, 19th of June 2017SLES 12 GA LTSS:
3.12.74-60.64.48.1 incremental kernel update released Tuesday, 27th of June 20173.12.61-52.77.1 initial kernel released Monday, 19th of June 2017SLES 11 SP4:
3.12.61-52.80.1 incremental kernel update pending release.3.0.101-104.2 initial kernel released Tuesday, 20th of June 2017SLES 11 SP3 LTSS:
3.0.101-107.1 incremental kernel update released Monday, 26th of June 20173.0.101-0.47.102.1 initial kernel released Monday, 19th of June 2017
3.0.101-0.47.105.1 incremental kernel update released Tuesday, 27th of June.
Fixed glibc versions:
SLES 12 SP2:Note 1:glibc 2.22-61.3 released Monday, 19th of June 2017SLES 12 SP1 LTSS:glibc 2.19-40.6.1 released Monday, 19th of June 2017SLES 12 GA LTSS:glibc 2.19-22.21.1 released Monday, 19th of June 2017SLES 11 SP4:glibc 2.11.3-17.109.1 released Monday, 19th of June 2017SLES 11 SP3 LTSS:glibc 2.11.3-17.109.1 released Monday, 19th of June 2017
For customers with active LTSS Subscriptions for SLES 10 SP4 it is required to open a Service Request through the SUSE Customer Center and request a PTF.
Note 2:
Older SUSE Linux Enterprise versions already had variable heap-stack-gap support.
As such, on SUSE Linux Enterprise 10, it is possible to use a sysctl variable to adjust the heap stack gap.
Temporary during run-time :
echo 256 > /proc/sys/vm/heap-stack-gapPermanently by adding the following line into /etc/sysctl.conf
vm.heap-stack-gap = 256
Cause
Additional Information
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7020973
- Creation Date: 16-Jun-2017
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
