oss-sec mailing list archives
Re: Qualys Security Advisory - The Stack Clash
From: Jeff Law <law () redhat com>
Date: Wed, 21 Jun 2017 17:30:22 -0600
On 06/21/2017 03:40 PM, Qualys Security Advisory wrote:
The first problem was that 1MB is not enough on all architectures; the second problem was that -fstack-check does not always "touch" all pages; and Red Hat's analysis was an extensive report about the fixes needed in the kernel, the glibc, and gcc.
And just one data point here. We (Red Hat) had hoped to be able to drop in a compiler update with an improved -fstack-check and rebuild at least glibc with that compiler. However, the further we dug, the more significant problems we found, particularly as we started looking at other architectures. As late at June 8, we were still internally debating the pros/cons of updating GCC and rebuilding GLIBC with the new compiler, even if only certain platforms were covered. The ultimate decision was to play it safe and defer integration of the GCC work to a later update. The embargo extension may have been painful, but it gave us the time to look deeply at the GCC situation and come to a well reasoned technical conclusion. Had we done forward in May per the original schedule we well could have made an incorrect technical decision under the significant time pressure. The consequences of getting that decision wrong are potentially greater than the impact of this particular security issue. That would also have put other distros that use GCC at as disadvantage as the in-progress GCC bits were not "upstream ready" and thus would have been dropped into Red Hat's GCC sources which would likely have been fairly difficult for other distros that use GCC to consume.
All of this, plus the third reason mentioned above, and our own assessment of the situation, helped us make our decision to extend the embargo.
Understood and thanks for evaluating the situation as a whole and coming to a well reasoned decision WRT the embargo. -- I don't speak for anyone but myself, but I strongly believe in making reasonable, rational decisions based on the best information available rather than following policy blindly. Don't get me wrong, policy is important as it often encodes years of hard learned lessons and often policy is a good default position.
I understand it's rare for companies to do quality security research, and I didn't want my action to have hampered the stream of quality security research we're seeing from Qualys lately.Thank you very much. However, we must admit that this coordinated release has been one of the most stressful and painful experiences we ever had: we were torn between those who wanted to publish early and those who wanted to publish later, and in the middle of all this coordination we were trying to complete our research (we had not successfully exploited 64-bit Linux yet when we first contacted distros@).
Understood. I'd like to point out that knowing 64bit exploits had not been completed, but looked reasonably possible was very helpful in our internal discussions about the breadth of the problem. And more generally thanks for all the work in this space! Don't ever hesitate to contact me with any questions/concerns WRT GCC's code generation in this space or others. jeff
Current thread:
- Re: Qualys Security Advisory - The Stack Clash, (continued)
- Re: Qualys Security Advisory - The Stack Clash Qualys Security Advisory (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash nospam (Jun 21)
- Re: Re: Qualys Security Advisory - The Stack Clash Franz Pletz (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Solar Designer (Jun 25)
- Re: Qualys Security Advisory - The Stack Clash Qualys Security Advisory (Jun 28)
- Re: Qualys Security Advisory - The Stack Clash Josh Bressers (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Solar Designer (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Stuart Henderson (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash kseifried () redhat com (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Qualys Security Advisory (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Jeff Law (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Daniel Micay (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Florian Weimer (Jun 22)
- Re: Qualys Security Advisory - The Stack Clash Brad Spengler (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Solar Designer (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Daniel Micay (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Brad Spengler (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Mike O'Connor (Jun 22)
- Re: Qualys Security Advisory - The Stack Clash Solar Designer (Jun 24)
- Re: Qualys Security Advisory - The Stack Clash Jeff Law (Jun 23)