Odi's astoundingly incomplete notes
New entries | Codefix Stack Clash on Gentoo
The Stack Clash class of bugs can be easily prevented on Gentoo.
1. Add -fstack-check to your CFLAGS. It instructs the compiler to touch every page when extending the stack by more than one page. So the kernel will trap in the guard page. This even makes the larger stack gap in recent kernels unnecessary (if you don't run other binaries)
3. Recompile important libraries (like openssl) and programs (setuid root binaries in shadow and util-linux) or simply everything: emerge -ae world
As always, keep your system uptodate regularly: emerge -uavD world
1. Add -fstack-check to your CFLAGS. It instructs the compiler to touch every page when extending the stack by more than one page. So the kernel will trap in the guard page. This even makes the larger stack gap in recent kernels unnecessary (if you don't run other binaries)
/etc/portage/make.conf: CFLAGS="-march=native -O2 -pipe -fstack-check"2. Some packages don't like this flag. Especially sys-libs/glibc itself. So for those define a separate environment:
/etc/portage/env/simple:
CFLAGS="-march=native -O2 -pipe"
CXXFLAGS="${CFLAGS}"
/etc/portage/package.env: sys-libs/glibc simple
3. Recompile important libraries (like openssl) and programs (setuid root binaries in shadow and util-linux) or simply everything: emerge -ae world
As always, keep your system uptodate regularly: emerge -uavD world
Add comment