* Probe emission in fstack-clash-protection
@ 2023-05-03 4:36 Varun Kumar E
2023-05-03 5:46 ` Jeff Law
2023-05-03 11:56 ` Florian Weimer
0 siblings, 2 replies; 4+ messages in thread
From: Varun Kumar E @ 2023-05-03 4:36 UTC (permalink / raw)
To: gcc
[-- Attachment #1: Type: text/plain, Size: 933 bytes --]
Hello,
https://godbolt.org/z/P3M8s8jqh
The above case shows that gcc first decreases the stack pointer and then
probes.
As mentioned by Jeff Law (reference
<https://developers.redhat.com/blog/2019/04/30/stack-clash-mitigation-in-gcc-why-fstack-check-is-not-the-answer#>)
under "More issues with -fstack-check". If an asynchronous signal is
received between the decrement of stack pointer and probing of the pages.
*"In that case, the stack pointer could be pointing beyond the guard into
the heap. The signal arrives and the kernel transfers control to the
registered signal handler. That signal handler is then running while its
stack is pointing into the heap. Thus, the attacker has clashed the stack
and heap, and there's a reasonable chance they can gain control over the
program" *
So, Shouldn't we first probe and if successful only then update the stack
pointer? Or Maybe I have understood it incorrectly.
regards,
Varun
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Probe emission in fstack-clash-protection
2023-05-03 4:36 Probe emission in fstack-clash-protection Varun Kumar E
@ 2023-05-03 5:46 ` Jeff Law
2023-05-03 8:22 ` Eric Botcazou
2023-05-03 11:56 ` Florian Weimer
1 sibling, 1 reply; 4+ messages in thread
From: Jeff Law @ 2023-05-03 5:46 UTC (permalink / raw)
To: gcc
On 5/2/23 22:36, Varun Kumar E via Gcc wrote:
> Hello,
>
> https://godbolt.org/z/P3M8s8jqh
> The above case shows that gcc first decreases the stack pointer and then
> probes.
>
> As mentioned by Jeff Law (reference
> <https://developers.redhat.com/blog/2019/04/30/stack-clash-mitigation-in-gcc-why-fstack-check-is-not-the-answer#>)
> under "More issues with -fstack-check". If an asynchronous signal is
> received between the decrement of stack pointer and probing of the pages.
> *"In that case, the stack pointer could be pointing beyond the guard into
> the heap. The signal arrives and the kernel transfers control to the
> registered signal handler. That signal handler is then running while its
> stack is pointing into the heap. Thus, the attacker has clashed the stack
> and heap, and there's a reasonable chance they can gain control over the
> program" *
>
> So, Shouldn't we first probe and if successful only then update the stack
> pointer? Or Maybe I have understood it incorrectly.
That may ultimately be better for -fstack-check to make it more robust,
but it still wouldn't be a viable alternative for stack clash protection
for the reasons laid out in that blog post.
jeff
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Probe emission in fstack-clash-protection
2023-05-03 5:46 ` Jeff Law
@ 2023-05-03 8:22 ` Eric Botcazou
0 siblings, 0 replies; 4+ messages in thread
From: Eric Botcazou @ 2023-05-03 8:22 UTC (permalink / raw)
To: Jeff Law; +Cc: gcc
> That may ultimately be better for -fstack-check to make it more robust,
> but it still wouldn't be a viable alternative for stack clash protection
> for the reasons laid out in that blog post.
Well, -fstack-check does that when it's possible, e.g. on Windows, but it's
not on x86[_64]/Linux where you *cannot* probe below the stack pointer.
--
Eric Botcazou
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Probe emission in fstack-clash-protection
2023-05-03 4:36 Probe emission in fstack-clash-protection Varun Kumar E
2023-05-03 5:46 ` Jeff Law
@ 2023-05-03 11:56 ` Florian Weimer
1 sibling, 0 replies; 4+ messages in thread
From: Florian Weimer @ 2023-05-03 11:56 UTC (permalink / raw)
To: Varun Kumar E via Gcc; +Cc: Varun Kumar E
* Varun Kumar E. via Gcc:
> Hello,
>
> https://godbolt.org/z/P3M8s8jqh
> The above case shows that gcc first decreases the stack pointer and then
> probes.
>
> As mentioned by Jeff Law (reference
> <https://developers.redhat.com/blog/2019/04/30/stack-clash-mitigation-in-gcc-why-fstack-check-is-not-the-answer#>)
> under "More issues with -fstack-check". If an asynchronous signal is
> received between the decrement of stack pointer and probing of the pages.
> *"In that case, the stack pointer could be pointing beyond the guard into
> the heap. The signal arrives and the kernel transfers control to the
> registered signal handler. That signal handler is then running while its
> stack is pointing into the heap. Thus, the attacker has clashed the stack
> and heap, and there's a reasonable chance they can gain control over the
> program" *
>
> So, Shouldn't we first probe and if successful only then update the stack
> pointer? Or Maybe I have understood it incorrectly.
Let me rephrase a bit. The caller has asserted that (%rsp) is valid
upon entry to the function because that's where the return address is
stored. That means that (%rsp - 4096) is still in the guard page, so
the subsequent probe works. But the kernel fault handler will not write
to that location because it has to protect the return address and the
red zone, so the first location used is (%rsp - 4096 - 8 - 128) or
thereabouts.
Jeff, this looks like a real bug to me. It doesn't affect the main
thread on GNU/Linux because the kernel uses more than one page for the
guard area. However, glibc uses exactly one page. We could change that
to two pages on x86-64 at least without ill effects, I believe. Or fix
GCC's probing to account for the red zone.
Thanks,
Florian
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-05-03 11:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-03 4:36 Probe emission in fstack-clash-protection Varun Kumar E
2023-05-03 5:46 ` Jeff Law
2023-05-03 8:22 ` Eric Botcazou
2023-05-03 11:56 ` Florian Weimer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).