Bug 12376

Summary:	CONFIG_SCHED_STACK_END_CHECK is disabled on x86_64, armv5tel and aarch64
Product:	IPFire	Reporter:	Peter Müller <peter.mueller>
Component:	---	Assignee:	Peter Müller <peter.mueller>
Status:	CLOSED FIXED	QA Contact:	Arne.F <arne.fitzenreiter>
Severity:	Security
Priority:	Will affect most users
Version:	2
Hardware:	unspecified
OS:	All
Bug Depends on:
Bug Blocks:	12361

Description Peter Müller 2020-04-14 15:44:40 UTC

Quote from https://capsule8.com/blog/kernel-configuration-glossary/:

> Significance: High
> 
> This option checks for a stack overrun on calls to schedule(). If the stack
> end location is found to be over written always panic as the content of the
> corrupted region can no longer be trusted. This is to ensure no erroneous
> behaviour occurs which could result in data corruption or a sporadic crash at a
> later stage once the region is examined. The runtime overhead introduced is
> minimal.

In my opinion this can be safely enabled on all architectures.

Comment 1 Peter Müller 2020-04-18 08:42:53 UTC

https://patchwork.ipfire.org/patch/2982/

Comment 2 Peter Müller 2020-06-06 13:07:45 UTC

https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=4264e41a612187b2c985d0ce843b598aaba648c5

Comment 3 Peter Müller 2020-06-20 09:26:01 UTC

https://blog.ipfire.org/post/ipfire-2-25-core-update-146-is-available-for-testing

Comment 4 Peter Müller 2020-07-01 15:15:55 UTC

https://blog.ipfire.org/post/ipfire-2-25-core-update-146-released