This is the mail archive of the
mailing list for the GCC project.
Re: RFC: stack/heap collision vulnerability and mitigation with GCC
On 19/06/17 20:04, Jeff Law wrote:
> On 06/19/2017 11:50 AM, Joseph Myers wrote:
>> On Mon, 19 Jun 2017, Jeff Law wrote:
>>> A key point to remember is that you can never have an allocation
>>> (potentially using more than one allocation site) which is larger than a
>>> page without probing the page.
>> There's a platform ABI issue here. At least some kernel fixes for these
>> stack issues, as I understand it, increase the size of the stack guard to
>> more than a single page. It would be possible to define the ABI to
>> require such a larger guard for protection and so reduce the number of
>> (non-alloca/VLA-using) functions that need probes generated, depending on
>> whether a goal is to achieve security on kernels without such a fix.
>> (Thinking in terms of how to get to enabling such probes by default.)
> On 32 bit platforms we don't have a lot of address space left, so we
> have to be careful about creating too large of a guard.
> On 64 bit platforms we have a lot more freedom and I suspect larger
> guards, mandated by the ABI would be useful, if for no other reason than
> allowing us to allocate more stack without probing. A simple array of
> PATH_MAX characters triggers probing right now. I suspect (but didn't
> bother to confirm) that PATH_MAX array are what causes git to have so
> many large stacks.
> Also if we look at something like ppc and aarch64, we've currently got
> the PROBE_INTERVAL set to 4k. But in reality they're using much larger
> page sizes. So we could improve things there as well.
There are aarch64 linux systems using 4k pages for compatibility with
existing aarch32 binaries.