This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: RFC: stack/heap collision vulnerability and mitigation with GCC

From: Szabolcs Nagy <szabolcs dot nagy at arm dot com>
To: Jeff Law <law at redhat dot com>, "Richard Earnshaw (lists)" <Richard dot Earnshaw at arm dot com>, gcc-patches <gcc-patches at gcc dot gnu dot org>
Cc: nd at arm dot com
Date: Thu, 22 Jun 2017 17:07:18 +0100
Subject: Re: RFC: stack/heap collision vulnerability and mitigation with GCC
Authentication-results: sourceware.org; auth=none
Authentication-results: arm.com; dkim=none (message not signed) header.d=none;arm.com; dmarc=none action=none header.from=arm.com;
Nodisclaimer: True
References: <bef46e40-8004-0f80-4928-ad0795eb76ba@redhat.com> <9dbdb66f-a9ec-c04a-8d83-e1597213e2da@arm.com> <6a46678a-01b7-50e8-c5e1-65ca25a5f662@redhat.com> <a20df538-c347-e2ab-038d-26064e2789ee@arm.com> <0afa3ebe-3a80-9324-c107-e1e39e747730@redhat.com> <ad0fb64c-6b0d-b3da-d01d-34d4d62385ee@arm.com> <c05f961a-2023-bcf6-afa9-18870dd4f0e0@redhat.com>
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99

On 22/06/17 16:30, Jeff Law wrote:
> It just happens to be the case that x86 hits *sp when it stores the
> return pointer and that ppc always stores the backchain into *sp when it
> allocates additional stack space.  As a result on those targets we know
> the offset between the stack pointer and the most recent probe is zero
> at the start of the callee's prologue.  That allows us to avoid the vast
> majority of explicit probes.
> 
> aarch64's ABI and ISA don't provide us with any such guarantees and we
> have to make very conservative assumptions which leads to much more
> explicit probing.

i think the aarch64 abi does not disallow access by the caller
to *sp so i don't see the problem.

the caller can give various guarantees about how far back the
last stack access was relative to the sp at entry to a function,
but this does not have to be abi! the abi is not a hard guarantee
anyway, asm code can always do tricks that is not abi clean but
happens to work in practice, so in that sense relying on *sp
'was written' is incorrect assumption even on ppc/x86, in fact it
would not work with the llvm 'safe stack' runtime as a probe,
the stack clash would happen on the un-safe stack in that case
not where the return address is stored.

Follow-Ups:
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Jeff Law

References:
- RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Jeff Law
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Richard Earnshaw (lists)
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Jeff Law
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Richard Earnshaw (lists)
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Jeff Law
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Richard Earnshaw (lists)
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Jeff Law

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]