From: "H.J. Lu" <hjl.tools@gmail.com>
To: Jeff Law <jeffreyalaw@gmail.com>
Cc: GCC Patches <gcc-patches@gcc.gnu.org>
Subject: Re: [PATCH] stack-protector: Check stack canary for noreturn function
Date: Wed, 3 Aug 2022 10:27:09 -0700 [thread overview]
Message-ID: <CAMe9rOpf7pjnCQyJLWmkqnB-muV9N2ZHJ7Y-XAF6rp898Y_4NQ@mail.gmail.com> (raw)
In-Reply-To: <fc73d428-a715-aaa3-79de-b2fd78697263@gmail.com>
On Tue, Aug 2, 2022 at 4:34 PM Jeff Law <jeffreyalaw@gmail.com> wrote:
>
>
>
> On 8/2/2022 11:43 AM, H.J. Lu wrote:
> > On Sat, Jul 30, 2022 at 1:30 PM Jeff Law via Gcc-patches
> > <gcc-patches@gcc.gnu.org> wrote:
> >>
> >>
> >> On 7/14/2022 3:55 PM, H.J. Lu via Gcc-patches wrote:
> >>> Check stack canary for noreturn function to catch stack corruption
> >>> before calling noreturn function. For C++, check stack canary when
> >>> throwing exception or resuming stack unwind to avoid corrupted stack.
> >>>
> >>> gcc/
> >>>
> >>> PR middle-end/58245
> >>> * calls.cc (expand_call): Check stack canary for noreturn
> >>> function.
> >>>
> >>> gcc/testsuite/
> >>>
> >>> PR middle-end/58245
> >>> * c-c++-common/pr58245-1.c: New test.
> >>> * g++.dg/pr58245-1.C: Likewise.
> >>> * g++.dg/fstack-protector-strong.C: Adjusted.
> >> But is this really something we want? I'd actually lean towards
> >> eliminating the useless load -- I don't necessarily think we should be
> >> treating non-returning paths specially here.
> >>
> >> The whole point of the stack protector is to prevent the *return* path
> >> from going to an attacker controlled location. I'm not sure checking
> >> the protector at this point actually does anything particularly useful.
> > throw is marked no return. Since the unwind library may read
> > the stack contents to unwind stack, it the stack is corrupted, the
> > exception handling may go wrong. Should we handle this case?
> That's the question I think we need to answer. The EH paths are a known
> security issue on Windows and while ours are notably different I'm not
> sure if there's a real attack surface in those paths. My sense is that
> if we need to tackle this that doing so on the throw side might be
> better as it's closer conceptually to when//how we check the canary for
> a normal return.
Like this?
@@ -3154,7 +3155,10 @@ expand_call (tree exp, rtx target, int ignore)
if (pass && (flags & ECF_MALLOC))
start_sequence ();
- if (pass == 0
+ /* Check the canary value for sibcall or function which doesn't
+ return and could throw. */
+ if ((pass == 0
+ || ((flags & ECF_NORETURN) != 0 && tree_could_throw_p (exp)))
&& crtl->stack_protect_guard
&& targetm.stack_protect_runtime_enabled_p ())
stack_protect_epilogue ();
> jeff
> >
> > --
> > H.J.
>
--
H.J.
next prev parent reply other threads:[~2022-08-03 17:27 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-14 21:55 H.J. Lu
2022-07-30 20:30 ` Jeff Law
2022-08-02 17:43 ` H.J. Lu
2022-08-02 23:34 ` Jeff Law
2022-08-03 17:27 ` H.J. Lu [this message]
2022-08-17 22:19 ` H.J. Lu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMe9rOpf7pjnCQyJLWmkqnB-muV9N2ZHJ7Y-XAF6rp898Y_4NQ@mail.gmail.com \
--to=hjl.tools@gmail.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=jeffreyalaw@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).