This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: Stack protector: leak of guard's address on stack
- From: Maxim Kuvyrkov <maxim dot kuvyrkov at linaro dot org>
- To: Florian Weimer <fw at deneb dot enyo dot de>
- Cc: Thomas Preudhomme <thomas dot preudhomme at linaro dot org>, Jakub Jelinek <jakub at redhat dot com>, gcc at gcc dot gnu dot org
- Date: Tue, 1 May 2018 16:04:34 +0300
- Subject: Re: Stack protector: leak of guard's address on stack
- References: <CAKnkMGsEPiRoKBHEJVrnHbGLNx-7gZk0Kt7uqJRMZgQD1Uh=Wg@mail.gmail.com> <20180427121601.GT8577@tucnak> <CAKnkMGsgfApCWmLfsGfFrHejR4xLotx4B1wUX8XAAo=ceh+EoQ@mail.gmail.com> <20180427122204.GU8577@tucnak> <CAKnkMGtZyZojdWkFH91TS9Hy2knttesSfcFNRdakOSjb3r03AQ@mail.gmail.com> <20180427133845.GV8577@tucnak> <CAKnkMGsJ1CkpZCJjcvVgS=RNgr_fui8jrUagxc5KA8srxMWetg@mail.gmail.com> <87y3h76vig.fsf@mid.deneb.enyo.de> <94B2316C-48EA-41AC-AED6-C7ACBBD628FE@linaro.org> <87muxm2rny.fsf@mid.deneb.enyo.de>
> On Apr 29, 2018, at 2:11 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
>
> * Maxim Kuvyrkov:
>
>>> On Apr 28, 2018, at 9:22 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
>>>
>>> * Thomas Preudhomme:
>>>
>>>> Yes absolutely, CSE needs to be avoided. I made memory access volatile
>>>> because the change was easier to do. Also on Arm Thumb-1 computing the
>>>> guard's address itself takes several loads so had to modify some more
>>>> patterns. Anyway, regardless of the proper fix, do you have any objection
>>>> to raising a CVE for that issue?
>>>
>>> Please file a bug in Bugzilla first and use that in the submission to
>>> MITRE.
>>
>> Thomas filed https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85434 couple
>> of weeks ago.
>
> Is there a generic way to find other affected targets?
>
> If we only plan to fix 32-bit Arm, we should make the CVE identifier
> specific to that, to avoid confusion.
The problem is fairly target-dependent, so architecture maintainers need to look at how stack-guard canaries and their addresses are handled and whether they can be spilled onto stack.
It appears we need to poll architecture maintainers before filing the CVE.
--
Maxim Kuvyrkov
www.linaro.org