Bug 1039513

Summary: VUL-0: gcc: enable -fstack-clash-protector by default: Qualys new root/setuid privilege escalation method 05-2017
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Richard Biener <rguenther>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: bhavel, emu, heiko.rommel, jsegitz, matz, meissner, mhocko, mpluskal, mrueckert, tchvatal, vcizek, vpelcak
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1037551    
Attachments: Simple test program

Comment 2 Marcus Meissner 2017-05-23 12:03:32 UTC 
Embargo was changed to:

CRD: 2017-06-19
Comment 9 Marcus Meissner 2017-06-19 15:21:21 UTC 
The issue is now public:

https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Comment 11 Michael Matz 2017-06-27 15:00:23 UTC 
I've a patch for gcc43.  It doesn't cause regressions in the GCC testsuite for all the platforms of SLE11.  If you want to test such compiler:
repo:
  https://build.suse.de/package/show/home:matz2:branches:SUSE:SLE-11-SP2:Update/
package
  gcc43.SUSE_SLE-11-SP2_Update
(Should also work for SP3 and SP4 I hope).  The patch is gcc43-stack-probe.diff.
Note that the patch as is enables stack probing with alloca and VLAs unconditionally.

I've tested it with some simple program that clobbers some heap array with
an overly large alloca (it works in the sense that it clobbers when compiled
normally and segfaults when compiled with the above compiler).

The IMHO nice thing about this patch is that it's completely arch independend
and it's very clear that there are no circumstances in which the probing
could be circumvented by some compiler settings or internal interactions.
I've made it independend of the existing stack-check options.
Comment 12 Michael Matz 2017-06-27 15:03:24 UTC 
Created attachment 730412 [details]
Simple test program

This program allocates something on the heap, something on the stack,
measures the difference between both, then allocates something nearly as
large as that diff with alloca, making the returned array point into the heap block.  The printf after alloca will then clobber parts of that heap array
which is checked for in the main function.  (verified on i586)

With stack checking or probing this program will instead segfault as it should.
Comment 13 Richard Biener 2017-06-28 12:57:07 UTC 
(In reply to Michael Matz from comment #11)
> I've a patch for gcc43.  It doesn't cause regressions in the GCC testsuite
> for all the platforms of SLE11.  If you want to test such compiler:
> repo:
>  
> https://build.suse.de/package/show/home:matz2:branches:SUSE:SLE-11-SP2:
> Update/
> package
>   gcc43.SUSE_SLE-11-SP2_Update
> (Should also work for SP3 and SP4 I hope).  The patch is
> gcc43-stack-probe.diff.
> Note that the patch as is enables stack probing with alloca and VLAs
> unconditionally.
> 
> I've tested it with some simple program that clobbers some heap array with
> an overly large alloca (it works in the sense that it clobbers when compiled
> normally and segfaults when compiled with the above compiler).
> 
> The IMHO nice thing about this patch is that it's completely arch independend
> and it's very clear that there are no circumstances in which the probing
> could be circumvented by some compiler settings or internal interactions.
> I've made it independend of the existing stack-check options.

quite simple indeed.  I'd make it conflict with -fstack-check at least.
Looks like only parisc is !STACK_GROWS_DOWNWARD, I'd simply diagnose
and disable -fstack-check for such archs.  We do want a half-clean patch
after all.  To avoid conflicts with future option names I'd change it
to -fsuse-stack-probe as well.

This is also what we want to have for 4.8?

Do we want to enable the flag unconditionally or rely on packages properly
using RPM_OPT_FLAGS?  We'd shave this down to our ISVs throat as well...
Comment 16 Bernhard Wiedemann 2017-08-03 12:01:17 UTC 
This is an autogenerated message for OBS integration:
This bug (1039513) was mentioned in
https://build.opensuse.org/request/show/514203 Factory / gcc7
Comment 18 Bernhard Wiedemann 2017-08-04 12:00:41 UTC 
This is an autogenerated message for OBS integration:
This bug (1039513) was mentioned in
https://build.opensuse.org/request/show/514550 Factory / gcc7
Comment 19 Marcus Meissner 2017-08-08 13:36:06 UTC 
QA REPRODUCER:

gcc -O2 -S alloca-probe.c -fstack-clash-protection
grep 4096 alloca-probe.S

- option -fstack-clash-protection is not present before but after
- grep will report around 12 installed of $4096 usage.


(On a 64k page system like IA64 or potentially Power use 65536 instead of 4096)
Comment 20 Bernhard Wiedemann 2017-08-08 14:00:21 UTC 
This is an autogenerated message for OBS integration:
This bug (1039513) was mentioned in
https://build.opensuse.org/request/show/515187 Factory / gcc7
Comment 21 Swamp Workflow Management 2017-09-06 16:11:37 UTC 
SUSE-SU-2017:2380-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1011348,1022062,1028744,1039513,1044016,1050947
CVE References: CVE-2017-11671
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    gcc48-4.8.5-5.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    gcc48-4.8.5-5.3.1
Comment 22 Swamp Workflow Management 2017-09-19 22:08:58 UTC 
SUSE-SU-2017:2526-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1011348,1022062,1028744,1039513,1044016,1050947,988274
CVE References: CVE-2017-11671
Sources used:
SUSE OpenStack Cloud 6 (src):    gcc48-4.8.5-31.3.1
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    libgcj48-4.8.5-31.3.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    libgcj48-4.8.5-31.3.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    gcc48-4.8.5-31.3.1, libffi48-4.8.5-31.3.1, libgcj48-4.8.5-31.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    gcc48-4.8.5-31.3.1, libffi48-4.8.5-31.3.1, libgcj48-4.8.5-31.3.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    gcc48-4.8.5-31.3.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    gcc48-4.8.5-31.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    gcc48-4.8.5-31.3.1
SUSE Linux Enterprise Server 12-SP2 (src):    gcc48-4.8.5-31.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    gcc48-4.8.5-31.3.1
SUSE Linux Enterprise Server 12-LTSS (src):    gcc48-4.8.5-31.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    gcc48-4.8.5-31.3.1, libgcj48-4.8.5-31.3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    gcc48-4.8.5-31.3.1, libgcj48-4.8.5-31.3.1
Comment 23 Swamp Workflow Management 2017-10-28 22:08:43 UTC 
openSUSE-SU-2017:2901-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1011348,1022062,1028744,1039513,1044016,1050947,988274
CVE References: CVE-2017-11671
Sources used:
openSUSE Leap 42.3 (src):    cross-aarch64-gcc48-icecream-backend-4.8.5-26.4, cross-armv6hl-gcc48-icecream-backend-4.8.5-26.4, cross-armv7hl-gcc48-icecream-backend-4.8.5-26.4, cross-i386-gcc48-icecream-backend-4.8.5-26.4, cross-ia64-gcc48-icecream-backend-4.8.5-26.4, cross-ppc-gcc48-icecream-backend-4.8.5-26.4, cross-ppc64-gcc48-icecream-backend-4.8.5-26.4, cross-ppc64le-gcc48-icecream-backend-4.8.5-26.4, cross-s390-gcc48-icecream-backend-4.8.5-26.4, cross-s390x-gcc48-icecream-backend-4.8.5-26.4, gcc48-4.8.5-26.2, gcc48-testresults-4.8.5-26.4, libffi48-4.8.5-26.1, libgcj48-4.8.5-26.2
openSUSE Leap 42.2 (src):    cross-aarch64-gcc48-icecream-backend-4.8.5-23.3.4, cross-armv6hl-gcc48-icecream-backend-4.8.5-23.3.4, cross-armv7hl-gcc48-icecream-backend-4.8.5-23.3.4, cross-i386-gcc48-icecream-backend-4.8.5-23.3.4, cross-ia64-gcc48-icecream-backend-4.8.5-23.3.4, cross-ppc-gcc48-icecream-backend-4.8.5-23.3.4, cross-ppc64-gcc48-icecream-backend-4.8.5-23.3.4, cross-ppc64le-gcc48-icecream-backend-4.8.5-23.3.4, cross-s390-gcc48-icecream-backend-4.8.5-23.3.4, cross-s390x-gcc48-icecream-backend-4.8.5-23.3.4, gcc48-4.8.5-23.3.2, gcc48-testresults-4.8.5-23.3.4, libffi48-4.8.5-23.3.1, libgcj48-4.8.5-23.3.2
Comment 24 Swamp Workflow Management 2018-01-09 20:11:24 UTC 
SUSE-SU-2018:0053-1: An update that solves 29 vulnerabilities and has 57 fixes is now available.

Category: security (moderate)
Bug References: 1003846,1004995,1009966,1022404,1025282,1025891,1026567,1029907,1029908,1029909,1029995,1030623,1035386,1036619,1039099,1039276,1039513,1040800,1040968,1041090,1043059,1043590,1043883,1043966,1044016,1045472,1045522,1045732,1047178,1047233,1048605,1048861,1050152,1050258,1050487,1052503,1052507,1052509,1052511,1052514,1052518,1053137,1053347,1053595,1053671,1055446,1055641,1055825,1056058,1056312,1056381,1057007,1057139,1057144,1057149,1057188,1057634,1057721,1057724,1058480,1058695,1058783,1059050,1059065,1059075,1059292,1059723,1060599,1060621,1061241,1061384,1062561,1063249,1063269,1064571,1064999,1065363,1066242,1066371,1066500,1066611,1067891,1070878,1070958,1071905,1071906
CVE References: CVE-2014-3710,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653,CVE-2017-12448,CVE-2017-12450,CVE-2017-12452,CVE-2017-12453,CVE-2017-12454,CVE-2017-12456,CVE-2017-12799,CVE-2017-12837,CVE-2017-12883,CVE-2017-13757,CVE-2017-14128,CVE-2017-14129,CVE-2017-14130,CVE-2017-14333,CVE-2017-14529,CVE-2017-14729,CVE-2017-14745,CVE-2017-14974,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2017-6512
Sources used:
SUSE CaaS Platform ALL (src):    sles12-caasp-dex-image-2.0.0-3.3.11, sles12-dnsmasq-nanny-image-2.0.1-2.3.15, sles12-haproxy-image-2.0.1-2.3.16, sles12-kubedns-image-2.0.1-2.3.11, sles12-mariadb-image-2.0.1-2.3.15, sles12-openldap-image-2.0.0-2.3.11, sles12-pause-image-2.0.1-2.3.9, sles12-pv-recycler-node-image-2.0.1-2.3.10, sles12-salt-api-image-2.0.1-2.3.10, sles12-salt-master-image-2.0.1-2.3.10, sles12-salt-minion-image-2.0.1-2.3.14, sles12-sidecar-image-2.0.1-2.3.11, sles12-tiller-image-2.0.0-2.3.11, sles12-velum-image-2.0.1-2.3.13
Comment 25 Swamp Workflow Management 2018-01-30 17:13:37 UTC 
SUSE-SU-2018:0300-1: An update that solves one vulnerability and has 7 fixes is now available.

Category: security (moderate)
Bug References: 1039513,1044016,1045091,1059075,1074621,938159,977654,999596
CVE References: CVE-2017-1000376
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    gcc43-4.3.4_20091019-37.3.1
SUSE Linux Enterprise Server 11-SP4 (src):    gcc43-4.3.4_20091019-37.3.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    gcc43-4.3.4_20091019-37.3.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    gcc43-4.3.4_20091019-37.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    gcc43-4.3.4_20091019-37.3.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    gcc43-4.3.4_20091019-37.3.1
Comment 26 Marcus Meissner 2018-03-09 18:31:58 UTC 
-fstack-clash-protection is default in optflags for:

opensuse factory
opensuse leap 42.3 updates
opensuse leap 15.0

suse sle15
suse sle12 updates since march 1st.
Comment 29 Swamp Workflow Management 2018-05-01 22:08:25 UTC 
SUSE-RU-2018:1117-1: An update that has three recommended fixes can now be installed.

Category: recommended (low)
Bug References: 1039513,1059075,1074621
CVE References: 
Sources used:
SUSE Studio Onsite Runner 1.3 (src):    libffi43-4.3.4_20091019-24.5.1
SUSE Studio Onsite 1.3 (src):    gcc43-4.3.4_20091019-24.5.1, libffi43-4.3.4_20091019-24.5.1
Comment 30 Johannes Segitz 2018-11-14 13:42:41 UTC 
fixed