[xml/sgml-pkgs] Bug#858405: Stable update request: kernel changes to fix PIE with large stack

Ben Hutchings ben at decadent.org.uk
Thu Mar 23 21:27:27 UTC 2017

On Thu, 2017-03-23 at 17:06 +0000, James Cowgill wrote:
> The reason the program and the heap are at these very high addresses is
> that xsltproc is built with PIE and the kernel is treating the
> executable like a mmap and grouping it with all the other libraries. In
> d1fd836dcf00 ("mm: split ET_DYN ASLR from mmap ASLR") the behavior
> changed and now the program and it's heap will be mapped at a lower
> address so the bug does not affect newer kernels. Using "setarch -L" or
> "setarch -R" is another workaround for this bug because that moves the
> program so that there is a much larger gap between the heap and the stack.
> This might affect other applications as well. Effectively it means that
> PIE executables which use lots of stack space might not work properly
> with jessie's kernel. The chances the bug will be hit seems to vary
> between arches however (depending on what each arch does in
> arch_pick_mmap_layout and arch_randomize_brk) - mips64el seems to be hit
> pretty frequently. In xsltproc's case, PIE was enabled some time ago
> which is why this bug is quite old.
> I believe any of the following will fix this (but have not all been tested):
> - Reduce the stack usage in xsltproc (the upstream bug)
> - Upgrade the relevant buildds to Linux >= 4.1
> - Apply d1fd836dcf00 to jessie's kernel

That's part of a series of 10 commits covering multiple architectures. 
I already picked one of them as a dependency for fixing CVE-2016-3672,
which leaves 9 to do.  I think it is worth doing this in stable to
support chroots and partial upgrades, but I would like to hear the
release team ack/nak this in principle before I start preparing the
change for Debian stable.

Kees Cook quotes the list of commits here:
(I can't find the original message).


> - Disable PIE in xsltproc.
> - Run xsltproc inside setarch -L / setarch -R

Ben Hutchings
The first rule of tautology club is the first rule of tautology club.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/debian-xml-sgml-pkgs/attachments/20170323/a3ce9955/attachment-0001.sig>

More information about the debian-xml-sgml-pkgs mailing list