#StackClash PoC/Exploits by #Qualys are now public
A few thoughts:
1. I really like the new MAP_GUARD, which is useful for guarding between shared objects.
2. I'm not sure I like that MAP_GUARD mappings can be unmapped.
3. Guard mappings can be mapped over with MAP_FIXED. I don't like that.
4. No attention paid to the per-thread stack guard (libthr). Easy to fix, though.
If an attacker can do items 2 and 3, it's already game over, though.
Today, I finished the Stack Clash mitigations in #HardenedBSD.
Here's the highlights:
1. Default 2MB guard between the bottom-most part of the stack and other memory mappings.
2. Plug the hole that makes the guard ineffective
3. Disallow applications from requesting or being granted memory mappings within the bottom-most limit of the stack and the top of the stack.