On Tue, 2017-06-20 at 12:20 -0400, Tom Horsley wrote: > On Tue, 20 Jun 2017 08:42:39 -0700 > stan wrote: > > > My > > assumption was that this was adding the strong stack protection to the > > kernel side of things. > > That seems like it might be impossible without architecture changes > in the chips to allow bounds checking the stack pointer in hardware > (which certainly wouldn't fix any existing systems :-). > > > As the > > exploit report said, enabling strong stack protection in the compiler > > for affected libraries would stop this exploit, but would be > > expensive. I assume that means it slows execution. > > So maybe the proper solution is to static link all the setuid > binaries, and not drag everything else on the system down
That would mean having a separate library for setuid programs, which would have to be maintained. Better would be to test for setuid-ness when the library is called, but I admit I'm just guessing here. poc _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
