This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: RFC: stack/heap collision vulnerability and mitigation with GCC

From: Wilco Dijkstra <Wilco dot Dijkstra at arm dot com>
To: Jeff Law <law at redhat dot com>, Richard Earnshaw <Richard dot Earnshaw at arm dot com>, GCC Patches <gcc-patches at gcc dot gnu dot org>
Cc: nd <nd at arm dot com>
Date: Thu, 22 Jun 2017 22:57:20 +0000
Subject: Re: RFC: stack/heap collision vulnerability and mitigation with GCC
Authentication-results: sourceware.org; auth=none
Authentication-results: arm.com; dkim=none (message not signed) header.d=none;arm.com; dmarc=none action=none header.from=arm.com;
Nodisclaimer: True
References: <AM5PR0802MB2610C07342688AA9A63FB3BA83C50@AM5PR0802MB2610.eurprd08.prod.outlook.com> <03f6ffbb-045f-e591-0416-74fc19f585df@redhat.com> <AM5PR0802MB26103E3BB141E670F3AED80183DA0@AM5PR0802MB2610.eurprd08.prod.outlook.com>,<65e55d54-caf5-ca5f-7835-7541091e7528@redhat.com>
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99

Jeff Law wrote:
> You can be in one of 3 states when you start the callee's prologue.
>
> 1. You're somewhere in the normal stack.
>
> 2. You've past the guard and are already in the heap or elsewhere
>
> 3. You're somewhere in the guard
>
> State #3 is what we're trying to address.  The attacker has advanced the
> stack pointer into the guard, but has not fully breached the guard.  We
> need to ensure that we hit the guard to prevent the breach.

State 3 is only interesting if all code has been built with probing enabled. In that
case we'd define how far the caller may have gone into the guard band and the
callee will probe exactly when needed, so it's guaranteed to prevent a breach.

If the caller hasn't enabled probing and does alloca, you're simply dead already.
All an attacker needs to do is to increase the alloca size to complete the breach.

If a full breach isn't feasible in a caller (ie. no alloca) then it can only go a tiny
amount into the guard band since the outgoing argument size is tiny. If the callee
has probing enabled and uses a reasonable maximum outgoing argument size
(say more than the maximum across a whole distro), the chances you could breach
the stack guard are infinitesimal.

So I still don't understand what exactly is so much worse on AArch64.

Wilco

References:
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Wilco Dijkstra
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Jeff Law
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Wilco Dijkstra
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Jeff Law

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]