This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: RFC: stack/heap collision vulnerability and mitigation with GCC

From: Jeff Law <law at redhat dot com>
To: "Richard Earnshaw (lists)" <Richard dot Earnshaw at arm dot com>, gcc-patches <gcc-patches at gcc dot gnu dot org>
Date: Wed, 21 Jun 2017 11:25:17 -0600
Subject: Re: RFC: stack/heap collision vulnerability and mitigation with GCC
Authentication-results: sourceware.org; auth=none
Authentication-results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=law at redhat dot com
Dkim-filter: OpenDKIM Filter v2.11.0 mx1.redhat.com BB2B3BDD0
Dmarc-filter: OpenDMARC Filter v1.3.2 mx1.redhat.com BB2B3BDD0
References: <bef46e40-8004-0f80-4928-ad0795eb76ba@redhat.com> <9dbdb66f-a9ec-c04a-8d83-e1597213e2da@arm.com> <6a46678a-01b7-50e8-c5e1-65ca25a5f662@redhat.com> <a20df538-c347-e2ab-038d-26064e2789ee@arm.com>

On 06/21/2017 02:41 AM, Richard Earnshaw (lists) wrote:

>> But the stack pointer might have already been advanced into the guard
>> page by the caller.   For the sake of argument assume the guard page is
>> 0xf1000 and assume that our stack pointer at entry is 0xf1010 and that
>> the caller hasn't touched the 0xf1000 page.
> 
> Then make sure the caller does touch the 0xf1000 page.  If it's
> allocated that much stack it should be forced to do the probe and not
> rely on all it's children having to do it because it can't be bothered.
That needs to be mandated at the ABI level if it's going to happen.  The
threat model assumes that the caller adheres to the ABI, but was not
necessarily compiled with -fstack-check.

I'm all for making the common path fast and letting the uncommon cases
pay additional penalties.  That mindset has driven the work-to-date.

But I don't think I have the liberty to change existing ABIs to
facilitate lower overhead approaches.  But I think ARM does given it
owns the ABI for aarch64 and I would happily exploit whatever guarantees
we can derive from an updated ABI.

So if you want the caller to touch the page, you need to amend the ABI.
I'd think touching the lowest address of the alloca area and outgoing
args, if large would be sufficient.

jeff

Follow-Ups:
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Richard Earnshaw (lists)

References:
- RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Jeff Law
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Richard Earnshaw (lists)
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Jeff Law
- Re: RFC: stack/heap collision vulnerability and mitigation with GCC
  - From: Richard Earnshaw (lists)

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]