This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: RFC: stack/heap collision vulnerability and mitigation with GCC

From: Florian Weimer <fweimer at redhat dot com>
To: Jeff Law <law at redhat dot com>, Joseph Myers <joseph at codesourcery dot com>
Cc: gcc-patches <gcc-patches at gcc dot gnu dot org>
Date: Tue, 20 Jun 2017 00:10:35 +0200
Subject: Re: RFC: stack/heap collision vulnerability and mitigation with GCC
Authentication-results: sourceware.org; auth=none
Authentication-results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=fweimer at redhat dot com
Dkim-filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 24D948046A
Dmarc-filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 24D948046A
References: <bef46e40-8004-0f80-4928-ad0795eb76ba@redhat.com> <alpine.DEB.2.20.1706191744230.27712@digraph.polyomino.org.uk> <3acee4e1-1c60-90e5-f55f-146e817d9e62@redhat.com> <alpine.DEB.2.20.1706192148510.15519@digraph.polyomino.org.uk> <bb2dc975-b7e6-5616-f054-a3a1cf7e891c@redhat.com>

On 06/20/2017 12:05 AM, Jeff Law wrote:
> On 06/19/2017 03:56 PM, Joseph Myers wrote:
>> On Mon, 19 Jun 2017, Florian Weimer wrote:
>>
>>> I think architectures such as aarch64 without implied stack probing as
>>> part of the function call sequence would benefit most from an ABI
>>> agreement (splitting the probing responsibility in some way between
>>> caller and callee).  For architectures with some form of implied
>>
>> I'd expect that, regardless of architecture, if calls don't write to the 
>> stack, the caller has to save its own return address somewhere before 
>> making a call, which means writing the saved link register.

> True, but the callee doesn't know the offset where the caller saved the
> return address.  In fact, different callers could have stored it at
> different offsets.  AFAICT for these targets we just have to make a
> worst case assumption about the caller.

There are also some weird corner cases like this one:

H. Baker, “CONS Should Not CONS Its Arguments, Part II: Cheney on the
M.T.A.” <http://home.pipeline.com/~hbaker1/CheneyMTA.html>.

So I think some sort of convention is needed here.

Thanks,
Florian

References:
- RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Jeff Law
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Joseph Myers
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Florian Weimer
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Joseph Myers
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Jeff Law

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]