On Tue, 20 Jun 2017 08:42:39 -0700
stan wrote:
My
assumption was that this was adding the strong stack protection to the
kernel side of things.
That seems like it might be impossible without architecture changes
in the chips to allow bounds checking the stack pointer in hardware
(which certainly wouldn't fix any existing systems :-).
As the
exploit report said, enabling strong stack protection in the compiler
for affected libraries would stop this exploit, but would be
expensive. I assume that means it slows execution.
So maybe the proper solution is to static link all the setuid
binaries, and not drag everything else on the system down?