This is the mail archive of the
mailing list for the GCC project.
Re: RFC: stack/heap collision vulnerability and mitigation with GCC
- From: Jakub Jelinek <jakub at redhat dot com>
- To: Jeff Law <law at redhat dot com>
- Cc: Joseph Myers <joseph at codesourcery dot com>, gcc-patches <gcc-patches at gcc dot gnu dot org>
- Date: Mon, 19 Jun 2017 21:45:41 +0200
- Subject: Re: RFC: stack/heap collision vulnerability and mitigation with GCC
- Authentication-results: sourceware.org; auth=none
- Authentication-results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
- Authentication-results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=jakub at redhat dot com
- Dkim-filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 22AC15A71
- Dmarc-filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 22AC15A71
- References: <email@example.com> <alpine.DEB.firstname.lastname@example.org> <email@example.com>
- Reply-to: Jakub Jelinek <jakub at redhat dot com>
On Mon, Jun 19, 2017 at 01:04:57PM -0600, Jeff Law wrote:
> On 06/19/2017 11:50 AM, Joseph Myers wrote:
> > On Mon, 19 Jun 2017, Jeff Law wrote:
> >> A key point to remember is that you can never have an allocation
> >> (potentially using more than one allocation site) which is larger than a
> >> page without probing the page.
> > There's a platform ABI issue here. At least some kernel fixes for these
> > stack issues, as I understand it, increase the size of the stack guard to
> > more than a single page. It would be possible to define the ABI to
> > require such a larger guard for protection and so reduce the number of
> > (non-alloca/VLA-using) functions that need probes generated, depending on
> > whether a goal is to achieve security on kernels without such a fix.
> > (Thinking in terms of how to get to enabling such probes by default.)
> On 32 bit platforms we don't have a lot of address space left, so we
> have to be careful about creating too large of a guard.
> On 64 bit platforms we have a lot more freedom and I suspect larger
> guards, mandated by the ABI would be useful, if for no other reason than
> allowing us to allocate more stack without probing. A simple array of
> PATH_MAX characters triggers probing right now. I suspect (but didn't
> bother to confirm) that PATH_MAX array are what causes git to have so
> many large stacks.
> Also if we look at something like ppc and aarch64, we've currently got
> the PROBE_INTERVAL set to 4k. But in reality they're using much larger
> page sizes. So we could improve things there as well.
ppc can use 4K, 16K, 64K or 256K pages, aarch64 4K, 16K or 64K.
So, unless the ABI (or some ABI extension for Linux) says that the guard
page is at least 16K or 64K on these arches (and unless glibc changes the
default pthread_attr_getguardsize - currently defaults everywhere to 1
page), you can't rely on more than 4K there.