Hello list, the stack_guard hardening option in bsdinstall is now setting 512 pages of it in CURRENT, as of r320674. It's said to MFC after 1 day (on Jul 5th), but STABLE hasn't got it yet. Is this simply an omission (understandable as the RELEASE is being prepared so things are a bit hectic I guess), or is there another reason? Can we assume that in 11.1 the sysctl is integer and can we safely set >1 number of pages, say 512 like the installer in CURRENT suggests? Thanks! -- Vlad K.
Konstantin Belousov
2017-Jul-17 10:24 UTC
stack_guard hardening bsdinstall option in STABLE and 11.1
On Mon, Jul 17, 2017 at 11:54:06AM +0200, Vlad K. wrote:> Hello list, > > the stack_guard hardening option in bsdinstall is now setting 512 pages > of it in CURRENT, as of r320674. It's said to MFC after 1 day (on Jul > 5th), but STABLE hasn't got it yet. Is this simply an omission > (understandable as the RELEASE is being prepared so things are a bit > hectic I guess), or is there another reason? > > Can we assume that in 11.1 the sysctl is integer and can we safely set > >1 number of pages, say 512 like the installer in CURRENT suggests?Default stack size on 32bit platforms is 2M. I left it to you as an excercise to guess what happens with the setting applied. For 64bit machines, default stack size is 4M, so there the failure mode is somewhat more involved. Anyway, this option is almost equivalent to executing 'rm /lib/libthr.so.3', perhaphs rm is even beter. SECURITY ! HARDENING !
Glen Barber
2017-Jul-17 13:33 UTC
stack_guard hardening bsdinstall option in STABLE and 11.1
On Mon, Jul 17, 2017 at 11:54:06AM +0200, Vlad K. wrote:> Hello list, > > the stack_guard hardening option in bsdinstall is now setting 512 pages of > it in CURRENT, as of r320674. It's said to MFC after 1 day (on Jul 5th), but > STABLE hasn't got it yet. Is this simply an omission (understandable as the > RELEASE is being prepared so things are a bit hectic I guess), or is there > another reason? > > Can we assume that in 11.1 the sysctl is integer and can we safely set >1 > number of pages, say 512 like the installer in CURRENT suggests? >No, this is not available in the 11.1 installer. Glen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20170717/961dc30c/attachment.sig>