From: Eric Botcazou <ebotcazou@adacore.com>
To: Jeff Law <law@redhat.com>
Cc: gcc-patches@gcc.gnu.org
Subject: Re: RFC: stack/heap collision vulnerability and mitigation with GCC
Date: Tue, 20 Jun 2017 08:17:00 -0000 [thread overview]
Message-ID: <62416688.h8zfxR0s2T@polaris> (raw)
In-Reply-To: <bef46e40-8004-0f80-4928-ad0795eb76ba@redhat.com>
> As some of you are likely aware, Qualys has just published fairly
> detailed information on using stack/heap clashes as an attack vector.
> Eric B, Michael M -- sorry I couldn't say more when I contact you about
> -fstack-check and some PPC specific stuff. This has been under embargo
> for the last month.
No problem and thanks for putting together this message.
> Unfortunately, -fstack-check is actually not well suited for our purposes.
>
> Some background. -fstack-check was designed primarily for Ada's needs.
> It assumes the whole program is compiled with -fstack-check and it is
> designed to ensure there is enough stack space left so that if the
> program hits the guard (say via infinite recursion) the program can
> safely call into a signal handler and raise an exception.
>
> To ensure there's always enough space to meet that design requirement,
> -fstack-check probes stack space ahead of the actual need of the code.
>
> The assumption that all code was compiled with -fstack-check allows for
> elision of some stack probes as they are assumed to have been probed by
> earlier callers in the call chain. This elision is safe in an
> environment where all callers use -fstack-check, but fatally flawed in a
> mixed environment.
>
> Most ports first probe by pages for whatever space is requested, then
> after all probing is done, they actually allocate space. This runs
> afoul of valgrind in various unpleasant ways (including crashing
> valgrind on two targets).
>
> Only x86-linux currently uses a "moving sp" allocation and probing
> strategy. ie, it actually allocates space, then probes the space.
Right, because the Linux kernel for x86/x86-64 is the only OS flavor that
doesn't let you probe the stack ahead of the stack pointer. All other
combinations of OS and architecture we tried (and it's quite a lot) do.
> After much poking around I concluded that we really need to implement
> allocation and probing via a "moving sp" strategy. Probing into
> unallocated areas runs afoul of valgrind, so that's a non-starter.
The reason why you cannot use this strategy on a global basis for stack
checking is that some ABIs specify that you cannot update the stack pointer
more than once to establish a frame; others don't explicitly care but...
> Allocating stack space, then probing the pages within the space is
> vulnerable to async signal delivery between the allocation point and the
> probe point. If that occurs the signal handler could end up running on
> a stack that has collided with the heap.
...yes, there are difficulties with the "moving sp" strategy.
> Finally, we need not ensure the ability to handle a signal at stack
> overflow. It is fine for the kernel to halt the process immediately if
> it detects a reference to the guard page.
In Ada it's the opposite and we use an alternate signal stack in this case.
> Dynamic (alloca) space is handled fairly generically with simple code to
> allocate a page and probe the just allocated page.
Right, it's not the most difficult part.
> Michael Matz has suggested some generic support so that we don't have to
> write target specific code for each and every target we support. THe
> idea is to have a helper function which allocates and probes stack
> space. THe port can then call that helper function from within its
> prologue generator. I think this is wise -- I wouldn't want to go
> through this exercise on every port.
Interesting. We never convinced ourselves that this was worthwhile.
--
Eric Botcazou
next prev parent reply other threads:[~2017-06-20 8:17 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-19 17:07 Jeff Law
2017-06-19 17:29 ` Jakub Jelinek
2017-06-19 17:45 ` Jeff Law
2017-06-19 17:51 ` Jakub Jelinek
2017-06-19 21:51 ` Jeff Law
2017-06-20 8:03 ` Uros Bizjak
2017-06-20 10:18 ` Richard Biener
2017-06-20 11:10 ` Uros Bizjak
2017-06-20 12:13 ` Florian Weimer
2017-06-20 12:17 ` Uros Bizjak
2017-06-20 12:20 ` Uros Bizjak
2017-06-20 12:27 ` Richard Biener
2017-06-20 21:57 ` Jeff Law
2017-06-20 15:59 ` Jeff Law
2017-06-19 18:00 ` Richard Biener
2017-06-19 18:02 ` Richard Biener
2017-06-19 18:15 ` Florian Weimer
2017-06-19 21:57 ` Jeff Law
2017-06-19 22:08 ` Jeff Law
2017-06-20 7:50 ` Eric Botcazou
2017-06-19 17:51 ` Joseph Myers
2017-06-19 17:55 ` Jakub Jelinek
2017-06-19 18:21 ` Florian Weimer
2017-06-19 21:56 ` Joseph Myers
2017-06-19 22:05 ` Jeff Law
2017-06-19 22:10 ` Florian Weimer
2017-06-19 19:05 ` Jeff Law
2017-06-19 19:45 ` Jakub Jelinek
2017-06-19 21:41 ` Jeff Law
2017-06-20 8:27 ` Richard Earnshaw (lists)
2017-06-20 15:50 ` Jeff Law
2017-06-19 18:12 ` Richard Kenner
2017-06-19 22:05 ` Jeff Law
2017-06-19 22:07 ` Richard Kenner
2017-06-20 8:21 ` Eric Botcazou
2017-06-20 15:50 ` Jeff Law
2017-06-20 19:48 ` Jakub Jelinek
2017-06-20 20:37 ` Eric Botcazou
2017-06-20 20:46 ` Jeff Law
2017-06-20 8:17 ` Eric Botcazou [this message]
2017-06-20 21:52 ` Jeff Law
2017-06-20 22:20 ` Eric Botcazou
2017-06-21 17:31 ` Jeff Law
2017-06-21 19:07 ` Florian Weimer
2017-06-21 7:56 ` Andreas Schwab
2017-06-20 9:27 ` Richard Earnshaw (lists)
2017-06-20 21:39 ` Jeff Law
2017-06-21 8:41 ` Richard Earnshaw (lists)
2017-06-21 17:25 ` Jeff Law
2017-06-22 9:53 ` Richard Earnshaw (lists)
2017-06-22 15:30 ` Jeff Law
2017-06-22 16:07 ` Szabolcs Nagy
2017-06-22 16:15 ` Jeff Law
2017-06-28 6:45 ` Florian Weimer
2017-07-13 23:21 ` Jeff Law
2017-07-18 19:54 ` Florian Weimer
2017-06-20 23:22 Wilco Dijkstra
2017-06-21 8:34 ` Richard Earnshaw (lists)
2017-06-21 8:44 ` Andreas Schwab
2017-06-21 8:46 ` Richard Earnshaw (lists)
2017-06-21 8:46 ` Richard Earnshaw (lists)
2017-06-21 9:03 ` Wilco Dijkstra
2017-06-21 17:05 ` Jeff Law
2017-06-21 17:47 ` Wilco Dijkstra
2017-06-22 16:10 ` Jeff Law
2017-06-22 22:57 ` Wilco Dijkstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=62416688.h8zfxR0s2T@polaris \
--to=ebotcazou@adacore.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=law@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).