LLVM "Stack Clash" Compiler Protection Is Under Review

Written by Michael Larabel in Linux Security on 14 October 2019 at 07:29 AM EDT. Add A Comment
Two years after the "Stack Clash" vulnerability came to light, the LLVM compiler is working on adding protection against it similar to the GCC compiler mitigation.

The Stack Clash vulnerability pertains to clashing/smashing another program's stack while circumventing existing stack protections at the time. Stack Clash opens up the door to memory corruption and arbitrary code execution. Linux x86/x86_64 wasn't the only one affected but also the BSDs and Solaris. Those unfamiliar with it or wanting to refresh your memory of it can do so via this Qualys blog post with the firm having discovered this vulnerability.

The GCC compiler promptly added -fstack-clash-protection as an option to protect the stack against stack clash attacks by having automatic probing of each page of allocated stacks. Besides the compiler-based protection, Stack Clash is also mitigated by a Glibc fix and also increasing the kernel's stack guard gap size to make the attack more difficult.

Given the increasing use of LLVM/Clang for compiling system software on multiple platforms, the LLVM Clang compiler is now finally on the heels of offering the same protection.

LLVM's stack clash protection is currently seeking code reviews and would be exposed through the same -fstack-clash-protection switch. Those interested in the addition can find more details under the current patch review. If all goes well hopefully this will make it into the LLVM 10 release due out early next year.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week