The issue was discovered by researchers from security vendor Qualys and has been dubbed “Stack Clash” because it involves “clashing” the stack with another memory region, such as the heap. It was publicly disclosed Monday, in coordination with operating system maintainers who released patches for the vulnerability.
The security implications of overrunning the stack into another memory region have been known for at least 12 years. Security researcher Gaël Delalleau described the problem in a presentation at the CanSecWest security conference in 2005 and five years later, former Qubes OS developer Rafal Wojtczuk found a way to exploit it through the X server (CVE-2010-2240).
In response to these previous exploits, the Linux kernel developers added a protection mechanism called the stack guard page. This is a 4KB-large memory page that’s mapped below the stack — the stack grows down and the heap grows up — and writing to it during sequential overwrites should trigger a segmentation fault.
“The problem with this approach, as Qualys discovered, is that in cases where stack memory allocation can be controlled in certain non-sequential manners, it is possible to jump the stack guard page and manipulate adjacent memory regions,” said via email Carsten Eiram, the chief research officer at vulnerability intelligence firm Risk Based Security.
