protected alloca class for malloc fallback
Jeff Law
law@redhat.com
Tue Aug 16 16:47:00 GMT 2016
On 08/16/2016 10:44 AM, Jakub Jelinek wrote:
> On Tue, Aug 16, 2016 at 10:27:58AM -0600, Jeff Law wrote:
>> I think you're being rather short-sighed here. GCC is being used in ways we
>> can't necessarily predict -- which might include compile servers, JITs, web
>> services, etc.
>
> For compile server/web services one needs to add the protection outside of
> gcc (sandboxing, containers, SELinux, limiting CPU and/or memory, etc.),
> because even with very short testcases e.g. in C/C++ one can eat arbitrary
> amounts of stack even without any uses of alloca in the compiler, simply
> through deep recursion in the parsers etc.
Agreed. However, that doesn't mean we should not be locking down things
like alloca and other attack vectors.
The attack vector is so big that
> trying to do something just about alloca is IMHO pointless, and we really
> don't want to fight 20 gcc CVEs every day (1:1 with most bugreports).
> Alloca is really useful in the compiler IMO, it is significantly faster than
> heap allocation, and that is what matters in many places a lot.
You have to start somewhere and we have the tools and willingness of an
engineer to tackle part of this problem. Simply giving up because it's
not a total solution is absurd.
jeff
More information about the Gcc-patches
mailing list