From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 43059 invoked by alias); 20 Jun 2017 20:46:04 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Received: (qmail 43018 invoked by uid 89); 20 Jun 2017 20:46:03 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy= X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 20 Jun 2017 20:46:01 +0000 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DCCA4C049E16; Tue, 20 Jun 2017 20:45:59 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com DCCA4C049E16 Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=law@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com DCCA4C049E16 Received: from localhost.localdomain (ovpn-116-20.phx2.redhat.com [10.3.116.20]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3244F709E2; Tue, 20 Jun 2017 20:45:59 +0000 (UTC) Subject: Re: RFC: stack/heap collision vulnerability and mitigation with GCC To: Eric Botcazou , Jakub Jelinek Cc: gcc-patches@gcc.gnu.org, Richard Kenner References: <1668482.ocPt5K0QLh@polaris> <20170620194818.GL2123@tucnak> <2839350.GqtxodeRKm@polaris> From: Jeff Law Message-ID: <8c67d588-478e-6106-42f6-daffb7d0189d@redhat.com> Date: Tue, 20 Jun 2017 20:46:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0 MIME-Version: 1.0 In-Reply-To: <2839350.GqtxodeRKm@polaris> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2017-06/txt/msg01510.txt.bz2 On 06/20/2017 02:37 PM, Eric Botcazou wrote: >> But then valgrind won't be able to find bugs in the code (storing and later >> reading stuff into the volatile parts of the stack that could be overwritten >> by any asynchronous signal). GCC had various bugs in this area and >> valgrind has been able to report those. Unless the probe instruction is >> sufficiently magic that it won't usually appear in other code. > > Right, maybe this magic aspect was the reason why it was initially implemented > like that for Cygwin, at least you know that orl $0 is meant to be special. > >> Only checking loads below the stack is not sufficient, some buggy code could >> e.g. store some data below stack pointer (below red zone if any), then >> subtract stack and then try to read it, etc. >> >> Not to mention that it isn't just false positive messages with current >> valgrind on -fstack-check code, e.g. on ppc64 it just crashes. > > The reasoning seems weird though since, apart from x86/x86-64, you're going to > gratuitously inflict this painful "moving sp" thing to every program compiled > on Linux because of just one tool that you can adapt. I don't see MOVING_SP as painful, except perhaps on aarch64. On something like PPC MOVING_SP turns out to be exceedingly clean. jeff