From: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
To: Jeff Law <law@redhat.com>,
Richard Earnshaw <Richard.Earnshaw@arm.com>,
GCC Patches <gcc-patches@gcc.gnu.org>
Cc: nd <nd@arm.com>
Subject: Re: RFC: stack/heap collision vulnerability and mitigation with GCC
Date: Thu, 22 Jun 2017 22:57:00 -0000 [thread overview]
Message-ID: <AM5PR0802MB2610C693781915BCB216FE2983DB0@AM5PR0802MB2610.eurprd08.prod.outlook.com> (raw)
In-Reply-To: <65e55d54-caf5-ca5f-7835-7541091e7528@redhat.com>
Jeff Law wrote:
> You can be in one of 3 states when you start the callee's prologue.
>
> 1. You're somewhere in the normal stack.
>
> 2. You've past the guard and are already in the heap or elsewhere
>
> 3. You're somewhere in the guard
>
> State #3 is what we're trying to address. The attacker has advanced the
> stack pointer into the guard, but has not fully breached the guard. We
> need to ensure that we hit the guard to prevent the breach.
State 3 is only interesting if all code has been built with probing enabled. In that
case we'd define how far the caller may have gone into the guard band and the
callee will probe exactly when needed, so it's guaranteed to prevent a breach.
If the caller hasn't enabled probing and does alloca, you're simply dead already.
All an attacker needs to do is to increase the alloca size to complete the breach.
If a full breach isn't feasible in a caller (ie. no alloca) then it can only go a tiny
amount into the guard band since the outgoing argument size is tiny. If the callee
has probing enabled and uses a reasonable maximum outgoing argument size
(say more than the maximum across a whole distro), the chances you could breach
the stack guard are infinitesimal.
So I still don't understand what exactly is so much worse on AArch64.
Wilco
next prev parent reply other threads:[~2017-06-22 22:57 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-20 23:22 Wilco Dijkstra
2017-06-21 8:34 ` Richard Earnshaw (lists)
2017-06-21 8:44 ` Andreas Schwab
2017-06-21 8:46 ` Richard Earnshaw (lists)
2017-06-21 8:46 ` Richard Earnshaw (lists)
2017-06-21 9:03 ` Wilco Dijkstra
2017-06-21 17:05 ` Jeff Law
2017-06-21 17:47 ` Wilco Dijkstra
2017-06-22 16:10 ` Jeff Law
2017-06-22 22:57 ` Wilco Dijkstra [this message]
-- strict thread matches above, loose matches on Subject: below --
2017-06-19 17:07 Jeff Law
2017-06-19 17:29 ` Jakub Jelinek
2017-06-19 17:45 ` Jeff Law
2017-06-19 17:51 ` Jakub Jelinek
2017-06-19 21:51 ` Jeff Law
2017-06-20 8:03 ` Uros Bizjak
2017-06-20 10:18 ` Richard Biener
2017-06-20 11:10 ` Uros Bizjak
2017-06-20 12:13 ` Florian Weimer
2017-06-20 12:17 ` Uros Bizjak
2017-06-20 12:20 ` Uros Bizjak
2017-06-20 12:27 ` Richard Biener
2017-06-20 21:57 ` Jeff Law
2017-06-20 15:59 ` Jeff Law
2017-06-19 18:00 ` Richard Biener
2017-06-19 18:02 ` Richard Biener
2017-06-19 18:15 ` Florian Weimer
2017-06-19 21:57 ` Jeff Law
2017-06-19 22:08 ` Jeff Law
2017-06-20 7:50 ` Eric Botcazou
2017-06-19 17:51 ` Joseph Myers
2017-06-19 17:55 ` Jakub Jelinek
2017-06-19 18:21 ` Florian Weimer
2017-06-19 21:56 ` Joseph Myers
2017-06-19 22:05 ` Jeff Law
2017-06-19 22:10 ` Florian Weimer
2017-06-19 19:05 ` Jeff Law
2017-06-19 19:45 ` Jakub Jelinek
2017-06-19 21:41 ` Jeff Law
2017-06-20 8:27 ` Richard Earnshaw (lists)
2017-06-20 15:50 ` Jeff Law
2017-06-19 18:12 ` Richard Kenner
2017-06-19 22:05 ` Jeff Law
2017-06-19 22:07 ` Richard Kenner
2017-06-20 8:21 ` Eric Botcazou
2017-06-20 15:50 ` Jeff Law
2017-06-20 19:48 ` Jakub Jelinek
2017-06-20 20:37 ` Eric Botcazou
2017-06-20 20:46 ` Jeff Law
2017-06-20 8:17 ` Eric Botcazou
2017-06-20 21:52 ` Jeff Law
2017-06-20 22:20 ` Eric Botcazou
2017-06-21 17:31 ` Jeff Law
2017-06-21 19:07 ` Florian Weimer
2017-06-21 7:56 ` Andreas Schwab
2017-06-20 9:27 ` Richard Earnshaw (lists)
2017-06-20 21:39 ` Jeff Law
2017-06-21 8:41 ` Richard Earnshaw (lists)
2017-06-21 17:25 ` Jeff Law
2017-06-22 9:53 ` Richard Earnshaw (lists)
2017-06-22 15:30 ` Jeff Law
2017-06-22 16:07 ` Szabolcs Nagy
2017-06-22 16:15 ` Jeff Law
2017-06-28 6:45 ` Florian Weimer
2017-07-13 23:21 ` Jeff Law
2017-07-18 19:54 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AM5PR0802MB2610C693781915BCB216FE2983DB0@AM5PR0802MB2610.eurprd08.prod.outlook.com \
--to=wilco.dijkstra@arm.com \
--cc=Richard.Earnshaw@arm.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=law@redhat.com \
--cc=nd@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).