RFC: stack/heap collision vulnerability and mitigation with GCC
Jakub Jelinek
jakub@redhat.com
Tue Jun 20 19:48:00 GMT 2017
On Tue, Jun 20, 2017 at 10:21:14AM +0200, Eric Botcazou wrote:
> > Out of curiousity, does the old Alpha/VMS stack-checking API meet the
> > requirements? From what I recall, I think it does.
>
> No, it's the usual probe-first-and-then-allocate strategy and Jeff rejects it
> because of valgrind. I'd personally rather change valgrind but...
But then valgrind won't be able to find bugs in the code (storing and later
reading stuff into the volatile parts of the stack that could be overwritten
by any asynchronous signal). GCC had various bugs in this area and valgrind
has been able to report those. Unless the probe instruction is sufficiently
magic that it won't usually appear in other code.
Only checking loads below the stack is not sufficient, some buggy code could
e.g. store some data below stack pointer (below red zone if any), then
subtract stack and then try to read it, etc.
Not to mention that it isn't just false positive messages with current
valgrind on -fstack-check code, e.g. on ppc64 it just crashes.
Jakub
More information about the Gcc-patches
mailing list