From: Szabolcs Nagy <szabolcs.nagy@arm.com>
To: Florian Weimer <fweimer@redhat.com>, Jeff Law <law@redhat.com>,
James Greenhalgh <james.greenhalgh@arm.com>
Cc: nd@arm.com, Rich Felker <dalias@libc.org>,
GNU C Library <libc-alpha@sourceware.org>,
Richard Earnshaw <Richard.Earnshaw@arm.com>,
Wilco Dijkstra <Wilco.Dijkstra@arm.com>
Subject: Re: [RFC] nptl: change default stack guard size of threads
Date: Wed, 13 Dec 2017 11:58:00 -0000 [thread overview]
Message-ID: <5A3115C0.7080609@arm.com> (raw)
In-Reply-To: <50564a65-45dc-062f-46ba-e25d3b76b721@redhat.com>
On 12/12/17 19:30, Florian Weimer wrote:
> I'm a bit surprised that the 1K/3K split wouldn't achieve that (i.e., pushing the cost of probing into he
> noise). Is this because GCC wasn't built for this and has no way to recognize implicit probes which occur
we don't know the exact overhead, the current
patch does not emit optimal probing sequences,
but >3K stack use is common.
> The patch which started this libc-alpha thread applied the 64 KiB gap size to 32-bit architectures as well.
> This is the primary reason why I'm objecting strongly to it.
that glibc patch added an arch specific knob.
otoh i don't think we have different code on
the gcc side for ilp32 so it will use the
same probing interval in gcc-8.
> If aarch64 wants to do their own thing in 64-bit mode, I'm won't complain that much.
i can prepare a patch, but it will need to
change generic code in glibc.
(because a lot of stack accounting code
is broken or hard codes 1page guard)
> The existing ecosystem offers only one page size. The larger main stack guard region size provided by the
> kernel was a stop-gap measure, initially with the intent to patch nothing else, but it did not work out that
> way. I don't think 64 KiB would make a significant dent in terms of practical exploitability (all published
> exploits used larger frames or alloca-based frames anyway).
>
> If GCC assumes more than one guard page, a lot of things need to change, and it is difficult to communicate
> under what conditions a binary has been properly hardened. If this is the cost for enabling
> -fstack-clash-protection by default on aarch64, then so be it, but we should not make these changes on
> architectures where they do not bring any tangible benefit or actually hurt (due to address space consumption).
glibc can force >=64k guard, no matter what the
user setting is, but as i wrote in another mail
i don't think that's a good idea.
next prev parent reply other threads:[~2017-12-13 11:58 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-29 14:59 Szabolcs Nagy
2017-11-29 15:18 ` Florian Weimer
2017-11-29 18:17 ` Carlos O'Donell
2017-11-29 18:29 ` Rich Felker
2017-11-29 20:33 ` Florian Weimer
2017-11-29 18:40 ` Szabolcs Nagy
2017-11-29 20:44 ` Florian Weimer
2017-11-29 20:52 ` Rich Felker
2017-11-29 21:02 ` Florian Weimer
2017-11-29 23:13 ` Szabolcs Nagy
2017-12-05 10:55 ` James Greenhalgh
2017-12-06 12:51 ` Florian Weimer
2017-12-11 23:49 ` Jeff Law
2017-12-12 11:43 ` Szabolcs Nagy
2017-12-12 16:36 ` Rich Felker
2017-12-12 18:07 ` Szabolcs Nagy
2017-12-12 19:30 ` Florian Weimer
2017-12-13 11:58 ` Szabolcs Nagy [this message]
2017-12-19 12:35 ` James Greenhalgh
2017-12-19 13:06 ` Florian Weimer
2017-12-19 18:21 ` Szabolcs Nagy
2017-12-19 20:34 ` Rich Felker
2017-12-20 4:42 ` Jeff Law
2017-12-20 4:49 ` Rich Felker
2017-12-27 13:08 ` Wilco Dijkstra
2017-12-20 4:45 ` Jeff Law
2017-11-29 22:28 ` Wilco Dijkstra
2017-11-29 22:38 ` Carlos O'Donell
2017-12-06 12:53 ` Florian Weimer
2017-12-06 13:10 ` Wilco Dijkstra
2017-12-06 13:13 ` Florian Weimer
2017-11-29 23:02 ` Rich Felker
2017-12-06 13:16 ` Florian Weimer
2017-12-06 13:40 ` Joseph Myers
2017-12-06 13:51 ` Florian Weimer
2017-12-06 14:44 ` Jeff Law
2017-12-06 14:27 ` Wilco Dijkstra
2017-12-06 20:41 ` Szabolcs Nagy
2017-12-06 21:24 ` Adhemerval Zanella
2017-12-06 22:08 ` Rich Felker
2017-12-08 18:28 ` Szabolcs Nagy
2017-11-29 22:45 ` Szabolcs Nagy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5A3115C0.7080609@arm.com \
--to=szabolcs.nagy@arm.com \
--cc=Richard.Earnshaw@arm.com \
--cc=Wilco.Dijkstra@arm.com \
--cc=dalias@libc.org \
--cc=fweimer@redhat.com \
--cc=james.greenhalgh@arm.com \
--cc=law@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=nd@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).