From owner-freebsd-stable@freebsd.org Mon Jul 17 10:25:07 2017 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 02D14D76C3D for ; Mon, 17 Jul 2017 10:25:07 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8E9BD7FF00 for ; Mon, 17 Jul 2017 10:25:06 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id v6HAOx7n090310 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 17 Jul 2017 13:24:59 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua v6HAOx7n090310 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id v6HAOxXh090309; Mon, 17 Jul 2017 13:24:59 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Mon, 17 Jul 2017 13:24:59 +0300 From: Konstantin Belousov To: "Vlad K." Cc: freebsd-stable@freebsd.org Subject: Re: stack_guard hardening bsdinstall option in STABLE and 11.1 Message-ID: <20170717102459.GJ1935@kib.kiev.ua> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on tom.home X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 10:25:07 -0000 On Mon, Jul 17, 2017 at 11:54:06AM +0200, Vlad K. wrote: > Hello list, > > the stack_guard hardening option in bsdinstall is now setting 512 pages > of it in CURRENT, as of r320674. It's said to MFC after 1 day (on Jul > 5th), but STABLE hasn't got it yet. Is this simply an omission > (understandable as the RELEASE is being prepared so things are a bit > hectic I guess), or is there another reason? > > Can we assume that in 11.1 the sysctl is integer and can we safely set > >1 number of pages, say 512 like the installer in CURRENT suggests? Default stack size on 32bit platforms is 2M. I left it to you as an excercise to guess what happens with the setting applied. For 64bit machines, default stack size is 4M, so there the failure mode is somewhat more involved. Anyway, this option is almost equivalent to executing 'rm /lib/libthr.so.3', perhaphs rm is even beter. SECURITY ! HARDENING !