From: Bruno Haible <bruno@clisp.org>
To: Paul Eggert <eggert@cs.ucla.edu>
Cc: bug-gnulib@gnu.org
Subject: Re: stack bounds
Date: Sat, 10 Oct 2020 23:49:04 +0200 [thread overview]
Message-ID: <3472885.IBig9IT1OC@omega> (raw)
In-Reply-To: <653739fd-f93a-724d-3a14-38aee4f4a41c@cs.ucla.edu>
[-- Attachment #1: Type: text/plain, Size: 1692 bytes --]
Paul Eggert wrote:
> > On Linux, the kernel allows the stack to grow by any amount, if it does not
> > become closer than 1 MB to another VMA and does not violate the set limits.
> > See linux/mm/mmap.c:expand_downwards and linux/mm/mmap.c:acct_stack_growth.
> > Therefore on Linux, there is no need for a guard page and no need for
> > 'gcc -fstack-clash-protection'.
>
> There's still a need, if a function declares a large local variable, as the
> stack pointer can jump around the 1 MB barrier and trash other storage. If I
> compile the attached program with 'gcc -m32 -O2 stackish.c' on Fedora 31 x86-64,
> the program exits with status 255 (instead of crashing with a stack overflow as
> it should), because the stack has overflowed and has stomped on the heap. So
> stack overflow checking is not "just working", at least for this particular case.
Oh, I see: your program is not getting near the heap with the stack, it is
getting directly *into* the heap (because it fills the bottom of array 'b'
without having filled the rest of 'b' first).
gcc -fstack-clash-protection -m32 -O2 stackish.c fixes this issue.
So, you want 'gcc -fstack-clash-protection' [1] to become enabled by default?
Some distros are doing this already:
- Ubuntu 20.04 [2] (also -fstack-clash-protection is part of the default
gcc flags for users),
- RHEL 8 [1] (but apparently not by default for user-compiled programs),
and the Firefox people are considering it [3].
Bruno
[1] https://developers.redhat.com/blog/2020/05/22/stack-clash-mitigation-in-gcc-part-3/
[2] https://lists.ubuntu.com/archives/ubuntu-devel/2019-June/040741.html
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1588710
[-- Attachment #2: stackish.s.ubuntu --]
[-- Type: text/plain, Size: 3300 bytes --]
.file "stackish.c"
.text
.p2align 4
.globl growby
.type growby, @function
growby:
.LFB27:
.cfi_startproc
endbr64
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movslq %edi, %rdi
addq $15, %rdi
movq %rsp, %rbp
.cfi_def_cfa_register 6
subq $16, %rsp
movq %fs:40, %rax
movq %rax, -8(%rbp)
xorl %eax, %eax
movq %rsp, %rdx
movq %rdi, %rax
andq $-4096, %rdi
subq %rdi, %rdx
andq $-16, %rax
cmpq %rdx, %rsp
je .L3
.L14:
subq $4096, %rsp
orq $0, 4088(%rsp)
cmpq %rdx, %rsp
jne .L14
.L3:
andl $4095, %eax
subq %rax, %rsp
testq %rax, %rax
jne .L15
.L4:
movl %esi, %r8d
movq %rsp, %rcx
addl $256, %r8d
js .L5
movl %r8d, %edi
xorl %eax, %eax
.p2align 4,,10
.p2align 3
.L6:
movq %rax, %rdx
movb %al, (%rcx,%rax)
addq $1, %rax
cmpq %rdx, %rdi
jne .L6
.L5:
movslq %esi, %rsi
movslq %r8d, %r8
movsbl (%rcx,%rsi), %eax
movsbl (%rcx,%r8), %edx
subl %edx, %eax
movq -8(%rbp), %rsi
xorq %fs:40, %rsi
jne .L16
leave
.cfi_remember_state
.cfi_def_cfa 7, 8
ret
.p2align 4,,10
.p2align 3
.L15:
.cfi_restore_state
orq $0, -8(%rsp,%rax)
jmp .L4
.L16:
call __stack_chk_fail@PLT
.cfi_endproc
.LFE27:
.size growby, .-growby
.section .text.startup,"ax",@progbits
.p2align 4
.globl main
.type main, @function
main:
.LFB28:
.cfi_startproc
endbr64
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movl $1, %esi
movq %rsp, %rbp
.cfi_def_cfa_register 6
pushq %r12
.cfi_offset 12, -24
leal 1073741824(%rdi), %r12d
pushq %rbx
.cfi_offset 3, -32
movl %edi, %ebx
movslq %r12d, %rdi
subq $16, %rsp
movq %fs:40, %rax
movq %rax, -24(%rbp)
xorl %eax, %eax
call calloc@PLT
movl %r12d, %edx
movq %rsp, %rdi
shrl $31, %edx
movq %rax, %rcx
movq %rax, -32(%rbp)
leaq -32(%rbp), %rax
addl %r12d, %edx
sarl %edx
movslq %edx, %rdx
addq %rcx, %rdx
movq %rsp, %rcx
subq %rdx, %rax
cltq
addq $15, %rax
movq %rax, %rdx
andq $-4096, %rax
subq %rax, %rcx
andq $-16, %rdx
movq %rcx, %rax
cmpq %rax, %rsp
je .L19
.L32:
subq $4096, %rsp
orq $0, 4088(%rsp)
cmpq %rax, %rsp
jne .L32
.L19:
andl $4095, %edx
subq %rdx, %rsp
testq %rdx, %rdx
jne .L33
.L20:
movl %ebx, %r8d
movq %rsp, %rcx
addl $256, %r8d
js .L21
movl %r8d, %esi
xorl %eax, %eax
.p2align 4,,10
.p2align 3
.L22:
movq %rax, %rdx
movb %al, (%rcx,%rax)
addq $1, %rax
cmpq %rdx, %rsi
jne .L22
.L21:
movslq %ebx, %rax
movslq %r8d, %r8
movsbl (%rcx,%rax), %eax
movsbl (%rcx,%r8), %edx
movq %rdi, %rsp
subl %edx, %eax
testl %r12d, %r12d
jle .L17
leal 1073741823(%rbx), %r8d
xorl %ecx, %ecx
.p2align 4,,10
.p2align 3
.L24:
movq -32(%rbp), %rsi
addq %rcx, %rsi
movsbl (%rsi), %edx
leal 1(%rdx), %edi
orl %edx, %eax
movq %rcx, %rdx
addq $1, %rcx
movb %dil, (%rsi)
cmpq %rdx, %r8
jne .L24
.L17:
movq -24(%rbp), %rbx
xorq %fs:40, %rbx
jne .L34
leaq -16(%rbp), %rsp
popq %rbx
popq %r12
popq %rbp
.cfi_remember_state
.cfi_def_cfa 7, 8
ret
.L33:
.cfi_restore_state
orq $0, -8(%rsp,%rdx)
jmp .L20
.L34:
call __stack_chk_fail@PLT
.cfi_endproc
.LFE28:
.size main, .-main
.ident "GCC: (Ubuntu 9.3.0-10ubuntu2) 9.3.0"
.section .note.GNU-stack,"",@progbits
.section .note.gnu.property,"a"
.align 8
.long 1f - 0f
.long 4f - 1f
.long 5
0:
.string "GNU"
1:
.align 8
.long 0xc0000002
.long 3f - 2f
2:
.long 0x3
3:
.align 8
4:
next prev parent reply other threads:[~2020-10-10 21:49 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <m2a6xnu1sv.fsf@meyering.net>
[not found] ` <075a970b-f6aa-d2bb-e007-609a711085b2@gmail.com>
[not found] ` <CA+8g5KGBjFfHzafN2WFH6az5bQR8f68B1J-ETVWEBXvuDUL5rA@mail.gmail.com>
[not found] ` <17a0fe42-3ac6-9209-6f60-cddb5467f263@gmail.com>
[not found] ` <994fd316-0420-4b94-a1de-fea7d891c4ac@gmail.com>
2020-09-18 22:16 ` new snapshot available: grep-3.4-almost.26-5419 Paul Eggert
2020-09-18 22:42 ` Bruce Dubbs
2020-09-18 23:24 ` libsigsegv on LinuxFromScratch Bruno Haible
2020-09-18 23:47 ` Bruce Dubbs
2020-09-19 8:06 ` Bruce Dubbs
2020-09-19 23:47 ` Bruno Haible
2020-09-20 1:16 ` Bruce Dubbs
2020-09-20 23:15 ` Paul Eggert
2020-09-23 0:58 ` stack bounds Bruno Haible
2020-09-23 1:28 ` Paul Eggert
2020-10-10 12:08 ` Bruno Haible
2020-10-10 20:10 ` Paul Eggert
2020-10-10 21:49 ` Bruno Haible [this message]
2020-10-11 18:49 ` Paul Eggert
2020-10-11 22:08 ` Bruno Haible
2020-10-11 22:56 ` Paul Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.gnu.org/mailman/listinfo/bug-gnulib
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3472885.IBig9IT1OC@omega \
--to=bruno@clisp.org \
--cc=bug-gnulib@gnu.org \
--cc=eggert@cs.ucla.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).