From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 65341 invoked by alias); 19 Jun 2017 19:05:08 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Received: (qmail 65291 invoked by uid 89); 19 Jun 2017 19:05:07 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy=site X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 19 Jun 2017 19:04:56 +0000 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 41ACD80C15; Mon, 19 Jun 2017 19:05:00 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 41ACD80C15 Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=law@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 41ACD80C15 Received: from localhost.localdomain (ovpn-117-64.phx2.redhat.com [10.3.117.64]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6A02782755; Mon, 19 Jun 2017 19:04:58 +0000 (UTC) Subject: Re: RFC: stack/heap collision vulnerability and mitigation with GCC To: Joseph Myers Cc: gcc-patches References: From: Jeff Law Message-ID: Date: Mon, 19 Jun 2017 19:05:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-IsSubscribed: yes X-SW-Source: 2017-06/txt/msg01368.txt.bz2 On 06/19/2017 11:50 AM, Joseph Myers wrote: > On Mon, 19 Jun 2017, Jeff Law wrote: > >> A key point to remember is that you can never have an allocation >> (potentially using more than one allocation site) which is larger than a >> page without probing the page. > > There's a platform ABI issue here. At least some kernel fixes for these > stack issues, as I understand it, increase the size of the stack guard to > more than a single page. It would be possible to define the ABI to > require such a larger guard for protection and so reduce the number of > (non-alloca/VLA-using) functions that need probes generated, depending on > whether a goal is to achieve security on kernels without such a fix. > (Thinking in terms of how to get to enabling such probes by default.) On 32 bit platforms we don't have a lot of address space left, so we have to be careful about creating too large of a guard. On 64 bit platforms we have a lot more freedom and I suspect larger guards, mandated by the ABI would be useful, if for no other reason than allowing us to allocate more stack without probing. A simple array of PATH_MAX characters triggers probing right now. I suspect (but didn't bother to confirm) that PATH_MAX array are what causes git to have so many large stacks. Also if we look at something like ppc and aarch64, we've currently got the PROBE_INTERVAL set to 4k. But in reality they're using much larger page sizes. So we could improve things there as well. jeff