From: Jeff Law <jeffreyalaw@gmail.com>
To: "H.J. Lu" <hjl.tools@gmail.com>
Cc: GCC Patches <gcc-patches@gcc.gnu.org>
Subject: Re: [PATCH] stack-protector: Check stack canary for noreturn function
Date: Tue, 2 Aug 2022 17:34:57 -0600 [thread overview]
Message-ID: <fc73d428-a715-aaa3-79de-b2fd78697263@gmail.com> (raw)
In-Reply-To: <CAMe9rOpgpKsB8XMJwO3V_t_kCnq+xQ6DgCZ9rDH+KsRRGte-LA@mail.gmail.com>
On 8/2/2022 11:43 AM, H.J. Lu wrote:
> On Sat, Jul 30, 2022 at 1:30 PM Jeff Law via Gcc-patches
> <gcc-patches@gcc.gnu.org> wrote:
>>
>>
>> On 7/14/2022 3:55 PM, H.J. Lu via Gcc-patches wrote:
>>> Check stack canary for noreturn function to catch stack corruption
>>> before calling noreturn function. For C++, check stack canary when
>>> throwing exception or resuming stack unwind to avoid corrupted stack.
>>>
>>> gcc/
>>>
>>> PR middle-end/58245
>>> * calls.cc (expand_call): Check stack canary for noreturn
>>> function.
>>>
>>> gcc/testsuite/
>>>
>>> PR middle-end/58245
>>> * c-c++-common/pr58245-1.c: New test.
>>> * g++.dg/pr58245-1.C: Likewise.
>>> * g++.dg/fstack-protector-strong.C: Adjusted.
>> But is this really something we want? I'd actually lean towards
>> eliminating the useless load -- I don't necessarily think we should be
>> treating non-returning paths specially here.
>>
>> The whole point of the stack protector is to prevent the *return* path
>> from going to an attacker controlled location. I'm not sure checking
>> the protector at this point actually does anything particularly useful.
> throw is marked no return. Since the unwind library may read
> the stack contents to unwind stack, it the stack is corrupted, the
> exception handling may go wrong. Should we handle this case?
That's the question I think we need to answer. The EH paths are a known
security issue on Windows and while ours are notably different I'm not
sure if there's a real attack surface in those paths. My sense is that
if we need to tackle this that doing so on the throw side might be
better as it's closer conceptually to when//how we check the canary for
a normal return.
jeff
>
> --
> H.J.
next prev parent reply other threads:[~2022-08-02 23:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-14 21:55 H.J. Lu
2022-07-30 20:30 ` Jeff Law
2022-08-02 17:43 ` H.J. Lu
2022-08-02 23:34 ` Jeff Law [this message]
2022-08-03 17:27 ` H.J. Lu
2022-08-17 22:19 ` H.J. Lu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fc73d428-a715-aaa3-79de-b2fd78697263@gmail.com \
--to=jeffreyalaw@gmail.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=hjl.tools@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).