bug-gnulib@gnu.org mirror (unofficial)
 help / color / mirror / Atom feed
From: Bruno Haible <bruno@clisp.org>
To: Paul Eggert <eggert@cs.ucla.edu>
Cc: bug-gnulib@gnu.org
Subject: Re: stack bounds
Date: Sat, 10 Oct 2020 23:49:04 +0200	[thread overview]
Message-ID: <3472885.IBig9IT1OC@omega> (raw)
In-Reply-To: <653739fd-f93a-724d-3a14-38aee4f4a41c@cs.ucla.edu>

[-- Attachment #1: Type: text/plain, Size: 1692 bytes --]

Paul Eggert wrote:
> > On Linux, the kernel allows the stack to grow by any amount, if it does not
> > become closer than 1 MB to another VMA and does not violate the set limits.
> > See linux/mm/mmap.c:expand_downwards and linux/mm/mmap.c:acct_stack_growth.
> > Therefore on Linux, there is no need for a guard page and no need for
> > 'gcc -fstack-clash-protection'.
> 
> There's still a need, if a function declares a large local variable, as the 
> stack pointer can jump around the 1 MB barrier and trash other storage. If I 
> compile the attached program with 'gcc -m32 -O2 stackish.c' on Fedora 31 x86-64, 
> the program exits with status 255 (instead of crashing with a stack overflow as 
> it should), because the stack has overflowed and has stomped on the heap. So 
> stack overflow checking is not "just working", at least for this particular case.

Oh, I see: your program is not getting near the heap with the stack, it is
getting directly *into* the heap (because it fills the bottom of array 'b'
without having filled the rest of 'b' first).

gcc -fstack-clash-protection -m32 -O2 stackish.c fixes this issue.

So, you want 'gcc -fstack-clash-protection' [1] to become enabled by default?
Some distros are doing this already:
  - Ubuntu 20.04 [2] (also -fstack-clash-protection is part of the default
    gcc flags for users),
  - RHEL 8 [1] (but apparently not by default for user-compiled programs),
and the Firefox people are considering it [3].

Bruno

[1] https://developers.redhat.com/blog/2020/05/22/stack-clash-mitigation-in-gcc-part-3/
[2] https://lists.ubuntu.com/archives/ubuntu-devel/2019-June/040741.html
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1588710

[-- Attachment #2: stackish.s.ubuntu --]
[-- Type: text/plain, Size: 3300 bytes --]

	.file	"stackish.c"
	.text
	.p2align 4
	.globl	growby
	.type	growby, @function
growby:
.LFB27:
	.cfi_startproc
	endbr64
	pushq	%rbp
	.cfi_def_cfa_offset 16
	.cfi_offset 6, -16
	movslq	%edi, %rdi
	addq	$15, %rdi
	movq	%rsp, %rbp
	.cfi_def_cfa_register 6
	subq	$16, %rsp
	movq	%fs:40, %rax
	movq	%rax, -8(%rbp)
	xorl	%eax, %eax
	movq	%rsp, %rdx
	movq	%rdi, %rax
	andq	$-4096, %rdi
	subq	%rdi, %rdx
	andq	$-16, %rax
	cmpq	%rdx, %rsp
	je	.L3
.L14:
	subq	$4096, %rsp
	orq	$0, 4088(%rsp)
	cmpq	%rdx, %rsp
	jne	.L14
.L3:
	andl	$4095, %eax
	subq	%rax, %rsp
	testq	%rax, %rax
	jne	.L15
.L4:
	movl	%esi, %r8d
	movq	%rsp, %rcx
	addl	$256, %r8d
	js	.L5
	movl	%r8d, %edi
	xorl	%eax, %eax
	.p2align 4,,10
	.p2align 3
.L6:
	movq	%rax, %rdx
	movb	%al, (%rcx,%rax)
	addq	$1, %rax
	cmpq	%rdx, %rdi
	jne	.L6
.L5:
	movslq	%esi, %rsi
	movslq	%r8d, %r8
	movsbl	(%rcx,%rsi), %eax
	movsbl	(%rcx,%r8), %edx
	subl	%edx, %eax
	movq	-8(%rbp), %rsi
	xorq	%fs:40, %rsi
	jne	.L16
	leave
	.cfi_remember_state
	.cfi_def_cfa 7, 8
	ret
	.p2align 4,,10
	.p2align 3
.L15:
	.cfi_restore_state
	orq	$0, -8(%rsp,%rax)
	jmp	.L4
.L16:
	call	__stack_chk_fail@PLT
	.cfi_endproc
.LFE27:
	.size	growby, .-growby
	.section	.text.startup,"ax",@progbits
	.p2align 4
	.globl	main
	.type	main, @function
main:
.LFB28:
	.cfi_startproc
	endbr64
	pushq	%rbp
	.cfi_def_cfa_offset 16
	.cfi_offset 6, -16
	movl	$1, %esi
	movq	%rsp, %rbp
	.cfi_def_cfa_register 6
	pushq	%r12
	.cfi_offset 12, -24
	leal	1073741824(%rdi), %r12d
	pushq	%rbx
	.cfi_offset 3, -32
	movl	%edi, %ebx
	movslq	%r12d, %rdi
	subq	$16, %rsp
	movq	%fs:40, %rax
	movq	%rax, -24(%rbp)
	xorl	%eax, %eax
	call	calloc@PLT
	movl	%r12d, %edx
	movq	%rsp, %rdi
	shrl	$31, %edx
	movq	%rax, %rcx
	movq	%rax, -32(%rbp)
	leaq	-32(%rbp), %rax
	addl	%r12d, %edx
	sarl	%edx
	movslq	%edx, %rdx
	addq	%rcx, %rdx
	movq	%rsp, %rcx
	subq	%rdx, %rax
	cltq
	addq	$15, %rax
	movq	%rax, %rdx
	andq	$-4096, %rax
	subq	%rax, %rcx
	andq	$-16, %rdx
	movq	%rcx, %rax
	cmpq	%rax, %rsp
	je	.L19
.L32:
	subq	$4096, %rsp
	orq	$0, 4088(%rsp)
	cmpq	%rax, %rsp
	jne	.L32
.L19:
	andl	$4095, %edx
	subq	%rdx, %rsp
	testq	%rdx, %rdx
	jne	.L33
.L20:
	movl	%ebx, %r8d
	movq	%rsp, %rcx
	addl	$256, %r8d
	js	.L21
	movl	%r8d, %esi
	xorl	%eax, %eax
	.p2align 4,,10
	.p2align 3
.L22:
	movq	%rax, %rdx
	movb	%al, (%rcx,%rax)
	addq	$1, %rax
	cmpq	%rdx, %rsi
	jne	.L22
.L21:
	movslq	%ebx, %rax
	movslq	%r8d, %r8
	movsbl	(%rcx,%rax), %eax
	movsbl	(%rcx,%r8), %edx
	movq	%rdi, %rsp
	subl	%edx, %eax
	testl	%r12d, %r12d
	jle	.L17
	leal	1073741823(%rbx), %r8d
	xorl	%ecx, %ecx
	.p2align 4,,10
	.p2align 3
.L24:
	movq	-32(%rbp), %rsi
	addq	%rcx, %rsi
	movsbl	(%rsi), %edx
	leal	1(%rdx), %edi
	orl	%edx, %eax
	movq	%rcx, %rdx
	addq	$1, %rcx
	movb	%dil, (%rsi)
	cmpq	%rdx, %r8
	jne	.L24
.L17:
	movq	-24(%rbp), %rbx
	xorq	%fs:40, %rbx
	jne	.L34
	leaq	-16(%rbp), %rsp
	popq	%rbx
	popq	%r12
	popq	%rbp
	.cfi_remember_state
	.cfi_def_cfa 7, 8
	ret
.L33:
	.cfi_restore_state
	orq	$0, -8(%rsp,%rdx)
	jmp	.L20
.L34:
	call	__stack_chk_fail@PLT
	.cfi_endproc
.LFE28:
	.size	main, .-main
	.ident	"GCC: (Ubuntu 9.3.0-10ubuntu2) 9.3.0"
	.section	.note.GNU-stack,"",@progbits
	.section	.note.gnu.property,"a"
	.align 8
	.long	 1f - 0f
	.long	 4f - 1f
	.long	 5
0:
	.string	 "GNU"
1:
	.align 8
	.long	 0xc0000002
	.long	 3f - 2f
2:
	.long	 0x3
3:
	.align 8
4:

  reply	other threads:[~2020-10-10 21:49 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <m2a6xnu1sv.fsf@meyering.net>
     [not found] ` <075a970b-f6aa-d2bb-e007-609a711085b2@gmail.com>
     [not found]   ` <CA+8g5KGBjFfHzafN2WFH6az5bQR8f68B1J-ETVWEBXvuDUL5rA@mail.gmail.com>
     [not found]     ` <17a0fe42-3ac6-9209-6f60-cddb5467f263@gmail.com>
     [not found]       ` <994fd316-0420-4b94-a1de-fea7d891c4ac@gmail.com>
2020-09-18 22:16         ` new snapshot available: grep-3.4-almost.26-5419 Paul Eggert
2020-09-18 22:42           ` Bruce Dubbs
2020-09-18 23:24             ` libsigsegv on LinuxFromScratch Bruno Haible
2020-09-18 23:47               ` Bruce Dubbs
2020-09-19  8:06                 ` Bruce Dubbs
2020-09-19 23:47                   ` Bruno Haible
2020-09-20  1:16                     ` Bruce Dubbs
2020-09-20 23:15                     ` Paul Eggert
2020-09-23  0:58                       ` stack bounds Bruno Haible
2020-09-23  1:28                         ` Paul Eggert
2020-10-10 12:08                           ` Bruno Haible
2020-10-10 20:10                             ` Paul Eggert
2020-10-10 21:49                               ` Bruno Haible [this message]
2020-10-11 18:49                                 ` Paul Eggert
2020-10-11 22:08                                   ` Bruno Haible
2020-10-11 22:56                                     ` Paul Eggert

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.gnu.org/mailman/listinfo/bug-gnulib

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3472885.IBig9IT1OC@omega \
    --to=bruno@clisp.org \
    --cc=bug-gnulib@gnu.org \
    --cc=eggert@cs.ucla.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).