Probe emission in fstack-clash-protection
Varun Kumar E
Wed May 3 04:36:49 GMT 2023
The above case shows that gcc first decreases the stack pointer and then
As mentioned by Jeff Law (reference
under "More issues with -fstack-check". If an asynchronous signal is
received between the decrement of stack pointer and probing of the pages.
*"In that case, the stack pointer could be pointing beyond the guard into
the heap. The signal arrives and the kernel transfers control to the
registered signal handler. That signal handler is then running while its
stack is pointing into the heap. Thus, the attacker has clashed the stack
and heap, and there's a reasonable chance they can gain control over the
So, Shouldn't we first probe and if successful only then update the stack
pointer? Or Maybe I have understood it incorrectly.
More information about the Gcc