On 20 June 2017 at 16:22, Ed Maste <emaste at freebsd.org>
wrote:> On 20 June 2017 at 04:13, Vladimir Terziev <vterziev at gvcgroup.com>
wrote:
>> Hi,
>>
>> I assume FreeBSD security team is already aware about the Stack Clash
vulnerability, that is stated to affect FreeBSD amongst other Unix-like OS.
>
> Yes, the security team is aware of this. Improvements in stack
> handling are in progress (currently in review).
I would like to provide some additional background on this issue.
First I'd like to thank Qualys for their detailed and thorough
investigation, which is contributing directly to improving FreeBSD.
The FreeBSD security team is aware of and is monitoring this issue,
but is not directly developing in the changes that are in progress.
The issue under discussion is a limitation in a vulnerability
mitigation technique. Changes to improve the way FreeBSD manages stack
growth, and mitigate the issue demonstrated by Qualys'
proof-of-concept code, are in progress by FreeBSD developers
knowledgeable in the VM subsystem. These changes are expected to be
committed to FreeBSD soon, and from there they will be merged to
stable branches and into updates for supported releases.
-Ed