From: "LeMay, Michael" <michael.lemay@intel.com>
To: Rich Felker <dalias@libc.org>
Cc: "musl@lists.openwall.com" <musl@lists.openwall.com>
Subject: Re: [RFC] Support for segmentation-hardened SafeStack
Date: Tue, 27 Sep 2016 14:35:33 -0700 [thread overview]
Message-ID: <4b5d9700-1550-3276-65c4-bd3072db24f6@intel.com> (raw)
In-Reply-To: <20160927144303.GG19318@brightrain.aerifal.cx>
On 9/27/2016 07:43, Rich Felker wrote:
> On Mon, Sep 26, 2016 at 11:05:06PM -0700, LeMay, Michael wrote:
...
>> Arguments, whether variadic or not, are still passed on the main
>> (safe) stack like usual, and they can be used in-place.
> Here I think we're just differing on what "used in-place" means. For
> me that would include the ability to take their addresses. I assume
> you're just talking about using the values.
I see your point now. Yes, when SafeStack determines that a local
variable or argument may be accessed unsafely, it moves or copies
(respectively) that allocation to the unsafe stack. Incidentally, I
thought that just taking the address of a local variable or argument
(e.g. for pointer comparisons within a single function) would not
necessarily result in it being moved to the unsafe stack, but re-reading
the SafeStack pass and running some tests showed me that the pass
currently does move such allocations to the unsafe stack.
...
>
> This is another place where I think we're just using terms
> differently. From my perspective (the formal C language) variadic
> argument handling does not involve taking or dereferencing addresses
> on the stack; those are just va_list/va_arg implementation details. At
> the level of the formal language I think there are no exceptions; in
> all cases where the address on "the stack" leaks outside the scope of
> what the compiler can see/control, "the stack" it's on has to be the
> unsafe stack.
Yes, we're in agreement. For completeness, I'll note that there are
other ways for safe stack pointers to leak:
http://clang.llvm.org/docs/SafeStack.html#known-security-limitations
Thanks,
Michael
next prev parent reply other threads:[~2016-09-27 21:35 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-22 23:00 LeMay, Michael
2016-09-22 23:42 ` Rich Felker
2016-09-26 17:28 ` LeMay, Michael
2016-09-26 18:08 ` Rich Felker
2016-09-27 6:05 ` LeMay, Michael
2016-09-27 14:43 ` Rich Felker
2016-09-27 21:35 ` LeMay, Michael [this message]
2016-09-23 10:22 ` Szabolcs Nagy
2016-09-26 17:55 ` LeMay, Michael
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4b5d9700-1550-3276-65c4-bd3072db24f6@intel.com \
--to=michael.lemay@intel.com \
--cc=dalias@libc.org \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).