From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 63314 invoked by alias); 19 Feb 2016 19:14:56 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Received: (qmail 63288 invoked by uid 89); 19 Feb 2016 19:14:55 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=plainly, imposed, Eggert, eggert X-HELO: mail-yw0-f174.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=LbYiDNHBrTlJYWzFbpbRZKuhndfDMP5keL2OqNaK3Jk=; b=WYU4MLNVjlmZ9k9BnhgsuNJHhp2CmK39PA2Bx5fgTooqKPgNuuBY9oo6w58Evc96Cu weVjzL353ky+L/T176dD108vCKq30KyI+GZUrG6qO/VArDkqD9txxaQ/lfAlSJXDZ4CJ DoQCYX6bTssMSdBDogovVv/aPLTdSlBSLBgOWyBt8irAsaf1DIy7R6Zsvi0EcJDsEZ2E EBKyGJPYAwmt/imLCuBJtKanlwCKyXgGTrY7M2C9baG5k59R/G5WtGXMHAi9lWfuPQeA ojdwt+wW6O1dcTRF3EEfKkr3COMrJWhuzqdk10ynilNRkhmQrjeU0wL7ABf32twdyoGJ VrTg== X-Gm-Message-State: AG10YOTRlOXYTkVwEeMgcc1fJDbrSXrlYlRkJ7Qx3TA41qjQkPOBOGFR3sr/dJX7lX4CQfRR X-Received: by 10.13.223.20 with SMTP id i20mr8188324ywe.323.1455909292150; Fri, 19 Feb 2016 11:14:52 -0800 (PST) Subject: Re: [PATCH v2 0/3] posix: Execute file function fixes To: Paul Eggert , libc-alpha@sourceware.org References: <1455905134-21014-1-git-send-email-adhemerval.zanella@linaro.org> <56C75FE3.2030606@cs.ucla.edu> From: Adhemerval Zanella Message-ID: <56C769A9.6080301@linaro.org> Date: Fri, 19 Feb 2016 19:14:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <56C75FE3.2030606@cs.ucla.edu> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-SW-Source: 2016-02/txt/msg00542.txt.bz2 On 19-02-2016 16:33, Paul Eggert wrote: > On 02/19/2016 10:05 AM, Adhemerval Zanella wrote: >> * Regarding stack allocation safeness for exec function family I saw no >> safe solution. > > This is a significant regression from the current behavior. We need a better solution. Otherwise, I fear that it will be too easy for attackers to exploit stack-overflow vulnerabilities by attempting to execute commands with many arguments. > I do not agree it is a regression since it fixes two important issues: exec async-signal-safeness and vfork usage. Also the vector of attack might be limited, since for calling these function will issue a lot of stack will usage for argument passing. As I said, current dynamic memory allocation usage is plainly wrong and lead to the two mentioned issues. We can go to arch-specific implementation that abuse the ABI with, but again I think they are hacks and just add more maintainability burden and runtime differences among the platforms. A possible solution is add thread specific scratch buffer, but again this is not async-safe. >> libc has no obligation in make sure the stack allocation is suffice to >> fix runtime constraints. > > Is this really true? Then why does libc have __libc_use_alloca? Why not dispense with __libc_use_alloca and have libc impose no limits on stack allocation? The current '__libc_use_alloca' is a fragile and arbitrary stack control flow and since it does not track total stack usage against runtime imposed limit it does not add anything related to security. Currently as is I see no compelling reason to continue using it.