Jann HornMar 3

I find stack overflow security bugs fascinating; and on Linux, compilers still don't protect against stack overflows by default when stack frames are bigger than stack guard pages.

So I went looking around in Android, and thanks to how Android's RPC mechanism allows recursive synchronous callbacks in some cases, I managed to find a way to jump a thread guard page in system_server from shell context and (with very low success rate) get instruction pointer control:
https://project-zero.issues.chromium.org/issues/465827985

Project Zero

Show threadlj·rkMar 3
@jann Lovely research! Underpins why one shouldn't underestimate compiler hardening flags!
Show threadJann HornMar 3
@ljrk Yeah, stack overflows in particular feel to me like the programmer isn't really making a particular mistake that can be called a security bug, it just randomly happens in legitimate code... and the only thing that can reliably stop it is the compiler. So it kinda feels wrong to me to call it a hardening flag, it feels more like a... correctness flag?
Show threadlj·rk

@jann Very true^^

I guess the "hardening" name should nowadays be considered a historical artifact from the times where doing-weird-things-to-memory was sometimes a feature/optimization hack and thus intended, a flag that would stop this wouldn't enforce correctness but limit the programmer in their superhuman control over the machine :D

Mar 3 at 9:10pmWeb