RFC: stack/heap collision vulnerability and mitigation with GCC
Joseph Myers
joseph@codesourcery.com
Mon Jun 19 21:56:00 GMT 2017
On Mon, 19 Jun 2017, Florian Weimer wrote:
> I think architectures such as aarch64 without implied stack probing as
> part of the function call sequence would benefit most from an ABI
> agreement (splitting the probing responsibility in some way between
> caller and callee). For architectures with some form of implied
I'd expect that, regardless of architecture, if calls don't write to the
stack, the caller has to save its own return address somewhere before
making a call, which means writing the saved link register. Is the
problem case something like: the caller allocates stack space
unconditionally, without writing to it, and then a particular case in the
caller calls what it believes to be a noreturn function, or a function
that it knows won't return in that particular case, so doesn't need to
save the return address (although not saving return addresses when calling
noreturn functions is problematic in practice when you want to backtrace
from abort), so makes a call without ever having written anything to the
stack (and then you chain many such calls to do large stack allocations,
never writing to the stack, with each individual allocation being small)?
Or is the concern simply that the caller might have been compiled without
stack checking and you don't know *where* it wrote to the stack, even
given that it must have saved its return address somewhere?
--
Joseph S. Myers
joseph@codesourcery.com
More information about the Gcc-patches
mailing list