The Stack Clash article shows that a single page for the stack guard
isn't sufficient. Bump the size of the stack guard up to 2MB by default.
Provide a way for the stack guard size to be configurable with either a
custom kernel configuration or via a sysctl node. The sysctl node
(security.bsd.stack_guard_size) is only exposed if PAX_HARDENING is
disabled. Otherwise, the user must recompile with a custom kernel
(kernel option: STACK_GUARD_SIZE) to modify the size. The size MUST be
divisible by PAGE_SIZE (default: 4096 bytes) and cannot be zero.
ASLR does help address the Stack Clash, especially since HardenedBSD
follows the PaX design with true stack randomization (randomizing the
top of the stack while also inserting a random-sized gap). However, ASLR
does not mitigate the Stack Clash attack. It simply makes the attacker's
job much more difficult. Without ASLR, the attacker will know in advance
where the stack starts and can easily determine the current stack
layout. Utilizing that information, the attacker can figure out how to
manipulate the address space to clash with the stack.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
Sponsored-by: SoldierX
1af48f7b4b