[Beowulf] Heads up - Stack-Clash local root vulnerability

Kilian Cavalotti kilian.cavalotti.work at gmail.com
Wed Jun 21 08:55:36 PDT 2017


Hi Chris,

Thanks for starting the discussion here.

We're pretty much in the same boat (no changes made yet), as:
1. we're still running some RHEL 6.x based clusters, with x < 9,
meaning no patches for neither the kernel nor glibc,
2. those kernel+glibc patches seem to just be "mitigations" and don't
solve the underlying problem anyway
(cf.https://access.redhat.com/security/vulnerabilities/stackguard#magicdomid15)

As far as I understand this, the real fix will be to recompile all of
your binaries using a properly working implementation of -fstack-check
in gcc (which doesn't exist yet). So in terms of timeline, that means
GCC needs to be fixed, system applications need to be recompiled,
distribution need to repackage and distribute them, and then all the
userland applications need to be recompiled. It's a multi-year
process.

So we're not really sure how to approach this, as recompiling
everything seems really like the utopian dream of somebody who never
managed any shared system. Plus, as you mentioned, even the
mitigations are not innocuous, and may change applications' behavior.

That sounds like a big bowl of mess right now.

Oh, and containers...

Cheers,
-- 
Kilian


More information about the Beowulf mailing list