On Mon, Nov 11, 2019 at 5:58 PM Theodore Y. Ts'o <tytso@xxxxxxx> wrote: > On Mon, Nov 11, 2019 at 03:55:35PM +0100, Jann Horn wrote: > > Not on Linux, but on OpenBSD, they do use MAP_STACK now AFAIK; this > > was announced here: > > <http://openbsd-archive.7691.n7.nabble.com/stack-register-checking-td338238.html>. > > Basically they periodically check whether the userspace stack pointer > > points into a MAP_STACK region, and if not, they kill the process. So > > even if it's a no-op on Linux... > > Hmm, is that something we should do in Linux? Even if we only check > on syscall entry, which should be pretty inexpensive, it seems like it > would be very effective in protecting various ROP techniques. I'm not a big fan, especially if that would only happen on syscall entry; at the point where you have enough control to perform syscalls, it probably isn't too difficult to move your ROP stack over to a legitimate stack.
