From: Michael Ekstrand <michael@elehack.net>
To: caml-list@inria.fr
Subject: Native code stack overflow detection guarantees
Date: Thu, 08 Jul 2010 20:59:30 -0400 [thread overview]
Message-ID: <i15s9k$e35$1@dough.gmane.org> (raw)
Some time ago, I saw someone mention non-tail-recursive functions in
native code as a security problem. Unfortunately, I cannot find where I
read that again, but the basic idea was that, if you have a recursive
function that uses stack linear in user-provided input, then the user
can trigger a stack overflow which, in native code, can allow your stack
pointer to go waltzing through memory and wreak general havoc since
stack overflows are not trapped.
I was attempting to do some further research on this subject today and
found section 11.5 in the OCaml manual (ocamlopt compatibility with the
bytecode compiler), where it described the stack overflow behavior:
* By raising a Stack_overflow exception, like the bytecode compiler
does. (IA32/Linux, AMD64/Linux, PowerPC/MacOSX, MS Windows 32-bit ports).
* By aborting the program on a “segmentation fault” signal. (All other
Unix systems.)
* By terminating the program silently. (MS Windows 64 bits).
I have also turned up mailing list posts indicating that the stack
overflow exception is generated by a sigsegv signal handler on Linux.
My goal is to determine whether the ability for user input to cause a
stack overflow is merely a denial-of-service vulnerability (they shut
down the process, but can't do anything else), or whether it represents
an attack vector whereby they could modify memory, execute arbitrary
code, or perform other such shenanigans.
Therefore, I am wondering: are there documented guarantees on which the
native code stack overflow behavior rests? Linux processes usually
receive a segmentation fault when they run out of stack space; is that
guaranteed, or is it simply the usual convenient behavior? What about
for other systems?
If the program will always die, either via Stack_overflow or a
segmentation fault, as soon as the stack overflow occurs before there is
opportunity for more thorough memory corruption, then I think I can take
user-triggerable stack overflows to be inconvenient and undesirable but
not a viable attack vector other than for DoS attacks.
Thank you for any answers or insight you might be able to provide.
- Michael
next reply other threads:[~2010-07-09 0:59 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-09 0:59 Michael Ekstrand [this message]
2010-07-09 8:39 ` [Caml-list] " Mark Shinwell
2010-07-09 8:46 ` [Caml-list] Native code stack overflow detection guarantees - followup Mark Shinwell
2010-07-11 11:03 ` [Caml-list] Native code stack overflow detection guarantees Goswin von Brederlow
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='i15s9k$e35$1@dough.gmane.org' \
--to=michael@elehack.net \
--cc=caml-list@inria.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).