This is the mail archive of the
mailing list for the GCC project.
Re: RFC: stack/heap collision vulnerability and mitigation with GCC
- From: Jeff Law <law at redhat dot com>
- To: Jakub Jelinek <jakub at redhat dot com>
- Cc: Joseph Myers <joseph at codesourcery dot com>, gcc-patches <gcc-patches at gcc dot gnu dot org>
- Date: Mon, 19 Jun 2017 15:41:24 -0600
- Subject: Re: RFC: stack/heap collision vulnerability and mitigation with GCC
- Authentication-results: sourceware.org; auth=none
- Authentication-results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
- Authentication-results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=law at redhat dot com
- Dkim-filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 0BF8EC04B328
- Dmarc-filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 0BF8EC04B328
- References: <email@example.com> <alpine.DEB.firstname.lastname@example.org> <email@example.com> <20170619194541.GB2123@tucnak>
On 06/19/2017 01:45 PM, Jakub Jelinek wrote:
> On Mon, Jun 19, 2017 at 01:04:57PM -0600, Jeff Law wrote:
>> On 06/19/2017 11:50 AM, Joseph Myers wrote:
>>> On Mon, 19 Jun 2017, Jeff Law wrote:
>>>> A key point to remember is that you can never have an allocation
>>>> (potentially using more than one allocation site) which is larger than a
>>>> page without probing the page.
>>> There's a platform ABI issue here. At least some kernel fixes for these
>>> stack issues, as I understand it, increase the size of the stack guard to
>>> more than a single page. It would be possible to define the ABI to
>>> require such a larger guard for protection and so reduce the number of
>>> (non-alloca/VLA-using) functions that need probes generated, depending on
>>> whether a goal is to achieve security on kernels without such a fix.
>>> (Thinking in terms of how to get to enabling such probes by default.)
>> On 32 bit platforms we don't have a lot of address space left, so we
>> have to be careful about creating too large of a guard.
>> On 64 bit platforms we have a lot more freedom and I suspect larger
>> guards, mandated by the ABI would be useful, if for no other reason than
>> allowing us to allocate more stack without probing. A simple array of
>> PATH_MAX characters triggers probing right now. I suspect (but didn't
>> bother to confirm) that PATH_MAX array are what causes git to have so
>> many large stacks.
>> Also if we look at something like ppc and aarch64, we've currently got
>> the PROBE_INTERVAL set to 4k. But in reality they're using much larger
>> page sizes. So we could improve things there as well.
> ppc can use 4K, 16K, 64K or 256K pages, aarch64 4K, 16K or 64K.
> So, unless the ABI (or some ABI extension for Linux) says that the guard
> page is at least 16K or 64K on these arches (and unless glibc changes the
> default pthread_attr_getguardsize - currently defaults everywhere to 1
> page), you can't rely on more than 4K there.While the hardware can use the smaller pages ISTM that we can (and
probably should) be clearer in the ABI. The current pagesize exported
by the kernel on those targets is 16/32k IIRC.