SUSE products and a new security bug class referred to as "Stack Clash".

This document (7020973) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)
SUSE Linux Enterprise Server 12 Service Pack 1 LTSS (SLES 12 SP1 LTSS)
SUSE Linux Enterprise Server 12 GA LTSS (SLES 12 GA LTSS)

SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 3 LTSS (SLES 11 SP3 LTSS)

SUSE Linux Enterprise Server 10 Service Pack 4 LTSS (SLES 10 SP4 LTSS)
Expanded support 7 (RES7)
Expanded support 6 (RES6)
Expanded support 5 (RES5)


Situation

A new class of vulnerabilities have been identified under the umbrella name "Stack Smashing".

This bug class exploits a weakness in the address space model of operating systems like Linux.

How does it work...

The programs in operating systems use a so called stack for storing variables and return addresses used in functions. The stack grows depending on the amount of variables used and the depth of the called function tree. The growth  direction is also special, on most platforms it grows downwards.

As the stack shares the same address space with the regular program, heap and libraries and other program memory regions care needs to be taken that the automatic growing stack does not collide with other memory regions.

For this some years ago a "stack guard gap" page of 4KB was introduced, that is also used for automatic growing the stack if a stack memory access goes into the guard page.

The security research company Qualys has identified that in some libraries and programs under specific conditions the stack pointer can "jump over" this 4KB stack guard page and proceed below it or even overwrite memory areas positioned there.

This can for happen with large arrays on the stack over 4KB which are accessed only in some places, or by programs using the alloca() function to get stack memory that is also not accessed fully.

This grown stack could then be made to "smash" into other memory areas, containing code, data, function pointers or similar and which in turn could be used to execute code.

Note that these problems are not bugs in the programs, libraries or the kernel themselves, but caused by vague interpretation of the stack grow magic ABI between the compiler and kernel.

To mitigate this class of attacks we will be doing the following :

- Linux Kernels are being released immediately.

The kernel updates will increase the stack gap size to be much larger   (1 MB / 16 MB), which should mitigate most of the cases found during research.

This mitigation is tracked under CVE-2017-1000364

Note : The initial release of kernel updates caused regression in some programs, especially some programs using Java. Incremental kernel updates are being released to address this issue.

- glibc packages are being released immediately.

glibc itself contains several cases of being able to effect these stack jumps, happening even before a binary is loaded in the dynamic loader.
When used with setuid root binaries these could be used to escalate privilege from user to root using stack smashing.

This security fix is tracked under CVE-2017-1000366

- gcc (GNU Compiler Collection) updates will be released in the near future.

These updates will feature a flag that enables touching all stack memory pages when dynamic large stack allocations are done, to avoid having large jumps.
Note that as the stack code is directly built into the libraries and binaries,  recompiling packages is necessary to make it effective.

- Various applications might be updated in the near future.

We will identify and release updates for various applications that have such stack usage patterns and rebuild them with the new gcc compiler flag.

Resolution

SUSE has released the following fixed kernel versions: 


SLES 12 SP2:       
4.4.59-92.20.2 initial kernel released Monday, 19th of June 2017
4.4.59-92.42.2 incremental kernel update released Wednesday, 28th of June .
SLES 12 SP1 LTSS:
3.12.74-60.64.45.1 initial kernel released Monday, 19th of June 2017
3.12.74-60.64.48.1 incremental kernel update released Tuesday, 27th of June 2017
SLES 12 GA LTSS:    
3.12.61-52.77.1 initial kernel released Monday, 19th of June 2017
3.12.61-52.80.1 incremental kernel update pending release.
SLES 11 SP4:     
3.0.101-104.2 initial kernel released Tuesday, 20th of June 2017
3.0.101-107.1 incremental kernel update released Monday, 26th of June 2017

SLES 11 SP3 LTSS:
3.0.101-0.47.102.1 initial kernel released Monday, 19th of June 2017
3.0.101-0.47.105.1 incremental kernel update released Tuesday, 27th of June.

Fixed glibc versions:

SLES 12 SP2:        
glibc 2.22-61.3 released Monday, 19th of June 2017
SLES 12 SP1 LTSS:
glibc 2.19-40.6.1 released Monday, 19th of June 2017
SLES 12 GA LTSS:
glibc 2.19-22.21.1 released Monday, 19th of June 2017
SLES 11 SP4:
glibc 2.11.3-17.109.1 released Monday, 19th of June 2017
SLES 11 SP3 LTSS:
glibc 2.11.3-17.109.1 released Monday, 19th of June 2017
Note 1:
For customers with active LTSS Subscriptions for SLES 10 SP4 it is required to open a Service Request through the SUSE Customer Center and request a PTF.

Note 2:
Older SUSE Linux Enterprise versions already had variable heap-stack-gap support.
As such, on SUSE Linux Enterprise 10, it is possible to use a sysctl variable to adjust the heap stack gap.

Temporary during run-time :
echo 256 > /proc/sys/vm/heap-stack-gap
Permanently by adding the following line into /etc/sysctl.conf
vm.heap-stack-gap = 256

Cause

Additional Information

The advisory from Qualys Research Labs is available at https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7020973
  • Creation Date: 16-Jun-2017
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center