This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Stack protector: leak of guard's address on stack


> On Apr 29, 2018, at 2:11 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
> 
> * Maxim Kuvyrkov:
> 
>>> On Apr 28, 2018, at 9:22 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
>>> 
>>> * Thomas Preudhomme:
>>> 
>>>> Yes absolutely, CSE needs to be avoided. I made memory access volatile
>>>> because the change was easier to do. Also on Arm Thumb-1 computing the
>>>> guard's address itself takes several loads so had to modify some more
>>>> patterns. Anyway, regardless of the proper fix, do you have any objection
>>>> to raising a CVE for that issue?
>>> 
>>> Please file a bug in Bugzilla first and use that in the submission to
>>> MITRE.
>> 
>> Thomas filed https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85434 couple
>> of weeks ago.
> 
> Is there a generic way to find other affected targets?
> 
> If we only plan to fix 32-bit Arm, we should make the CVE identifier
> specific to that, to avoid confusion.

The problem is fairly target-dependent, so architecture maintainers need to look at how stack-guard canaries and their addresses are handled and whether they can be spilled onto stack.

It appears we need to poll architecture maintainers before filing the CVE.

--
Maxim Kuvyrkov
www.linaro.org


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]