Biesheuvel: Mitigating kernel risks on 32-bit ARM

Ard Biesheuvel writesabout 32-bit Arm systems on the Google Security Blog, with a focus onwhy these processors are still in use and what is being done to increasetheir security at the kernel level.

Preventing stack overflows from corrupting unrelated memorycontents is the goal of VMAP_STACK, which we are enablingfor 32-bit ARM as well. When VMAP_STACK is enabled, kernel modestacks are allocated from the kernel heap as before, but mappedinto a different part of the kernel's address space, and surroundedby guard regions, which are guaranteed to be keptunpopulated. Given that accesses to such unpopulated regions willtrigger an exception, the kernel's memory management layer can stepin and terminate the program as soon as a stack overflow occurs,and prevent it from causing memory corruption.