From: Segher Boessenkool <segher@kernel.crashing.org>
To: Rich Felker <dalias@libc.org>
Cc: Sergei Trofimovich <slyfox@gentoo.org>,
musl@lists.openwall.com, libc-alpha@sourceware.org,
gcc@gcc.gnu.org, toolchain@gentoo.org
Subject: Re: [musl] musl, glibc and ideal place for __stack_chk_fail_local
Date: Thu, 30 Jan 2020 16:25:00 -0000 [thread overview]
Message-ID: <20200130123351.GU22482@gate.crashing.org> (raw)
In-Reply-To: <20200125155424.GZ30412@brightrain.aerifal.cx>
On Sat, Jan 25, 2020 at 10:54:24AM -0500, Rich Felker wrote:
> > To support smash stack protection gcc emits __stack_chk_fail
> > calls on all targets. On top of that gcc emits __stack_chk_fail_local
> > calls at least on i386 and powerpc:
(Only on 32-bit -fPIC -msecure-plt, for Power).
> There is a half-serious proposal to put it in crti.o which is always
> linked too, but that seems like an ugly hack to me...
Not *very* ugly, but it would be very effective, and no real downsides
to it (or do you see something?)
> > My understanding of requirements for libc that exposes ssp support:
> > - __stack_chk_fail is implemented as a default symbol
> > - __stack_chk_fail_local is implemented as a local symbol to avoid PLT.
> > (Why is it important? To avoid use of potentially already broken stack?)
>
> Because performance cost of -fstack-protector would go from 1-2% up to
> 5-10% on i386 and other archs where PLT contract requires a GOT
> register, since loading the GOT register is expensive
> (__x86.get_pc_thunk.* thunk itself is somewhat costly, and you throw
> away one of only a small number of available registers, increasing
> register pressure and hurting codegen).
On Power it is just the setting up itself that is costly (in the config
where we have this _local thing).
> Absolutely not. libssp is unsafe and creates new vulns/attack surface
> by doing introspective stuff after the process is already *known to
> be* in a compromised state. It should never be used. musl's
> __stack_chk_fail is safe and terminates immediately.
Some implementations even print strings from the stack, it can be worse ;-)
> Ideally, though, GCC would just emit the termination inline (or at
> least have an option to do so) rather than calling __stack_chk_fail or
> the local version. This would additionally harden against the case
> where the GOT is compromised.
Yeah, but how to terminate is system-specific, it's much easier to punt
this job to the libc to do ;-)
Open a GCC PR for this please?
Segher
next prev parent reply other threads:[~2020-01-30 12:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-25 15:50 Sergei Trofimovich
2020-01-26 5:32 ` [musl] " Rich Felker
2020-01-30 16:25 ` Segher Boessenkool [this message]
2020-01-30 17:16 ` Rich Felker
2020-01-31 4:48 ` Segher Boessenkool
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200130123351.GU22482@gate.crashing.org \
--to=segher@kernel.crashing.org \
--cc=dalias@libc.org \
--cc=gcc@gcc.gnu.org \
--cc=libc-alpha@sourceware.org \
--cc=musl@lists.openwall.com \
--cc=slyfox@gentoo.org \
--cc=toolchain@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).