Live Patching superhero doesn’t reboot from Stack Clash | SUSE Communities

Live Patching superhero doesn’t reboot from Stack Clash


If you were staying up late to patch your servers when the Stack Clash vulnerability recently showed up then you are not alone. However, you could join the select club of super savvy admin superheroes who didn’t have to shut down systems to patch Stack Clash.

Stack Clash can be patched without bringing down your SUSE Linux systems using SUSE’s Live Patching.

SUSE Linux users can live patch Stack Clash for FREE.

Every time a new security vulnerability is revealed, the planning to mitigate the impact starts immediately. As a systems administrator you are very familiar with the mitigation drill. Scan all systems for the security vulnerability, see which ones you need to patch, start prioritizing which ones to patch first, etc.

You can reduce the number of planning activities by avoiding the need to shut down your Linux systems. You will save both time and resources. One less thing to do, means a lot at crunch time, especially when the unexpected workload shows up due to a new Linux kernel vulnerability at the IT team’s door.

Now, let’s take a quick look at the Stack Cash vulnerability.

The Stack Clash vulnerability exploits a weakness in the address space model of operating systems such as Linux, OpenBSD etc. Here is the excerpt from the SUSE security advisory released immediately following the news about the vulnerability.

The programs in operating systems use a stack for storing variables and return addresses used in functions. The stack grows depending on the amount of variables used and the depth of the called function tree. The growth direction is also special, on most platforms it grows downwards.

As the stack shares the same address space with the regular program, heap and libraries and other program memory regions, care needs to be taken that the automatically growing stack does not collide with other memory regions.

For this issue, some years ago a “stack guard gap” page of 4KB was introduced, that is also used for the automatically growing stack if a stack memory access goes into the guard page.

The security research company, Qualys, has identified that in some libraries and programs under specific conditions the stack pointer can “jump over” this 4KB stack guard page and proceed below it or even overwrite memory areas positioned there.

This can happen with large arrays on the stack over 4KB which are accessed only in some places, or by programs using the alloca() function to get stack memory, which is also not accessed fully.

This grown stack could then be made to “smash/clash” into other memory areas, containing code, data, function pointers or similar and which in turn could be used to execute code.

Note that these problems are not bugs in the programs, libraries or the kernel themselves, but caused by vague interpretation of the stack grow magic ABI between the compiler and kernel.

Here is the download link for SUSE Linux Enterprise Live Patching. Once you have downloaded SUSE Linux Enterprise Live Patching, you can proceed to patch your SUSE Linux systems, and experience firsthand the joy of not having to reboot the systems and relish being a Live Patching superhero!

Note: SUSE Linux Enterprise Live Patching is supported for SUSE Linux Enterprise Server 12 and above.

To keep you organized, here are a few helpful links:

SUSE Linux Enterprise Live Patching

SUSE Linux Enterprise Live Patching download link

SUSE advisory on Stack Clash

Qualys security advisory

Keep in touch @RajMeel7



Leave a Reply

Your email address will not be published. Required fields are marked *

No comments yet

Avatar photo