This is the mail archive of the newlib@sourceware.org mailing list for the newlib project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH v1 00/10] Add Stack Smashing Protection and Object Size Checking

From: Yaakov Selkowitz <yselkowitz at cygwin dot com>
To: Wilco Dijkstra <Wilco dot Dijkstra at arm dot com>, "newlib at sourceware dot org" <newlib at sourceware dot org>
Cc: nd <nd at arm dot com>
Date: Mon, 6 Nov 2017 19:20:18 -0600
Subject: Re: [PATCH v1 00/10] Add Stack Smashing Protection and Object Size Checking
Authentication-results: sourceware.org; auth=none
Authentication-results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=cygwin.com
Authentication-results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=none smtp.mailfrom=yselkowitz at cygwin dot com
Dkim-filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 3F2DE81DE5
Dmarc-filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 3F2DE81DE5
References: <HE1PR0801MB2058504A2FAAB541CEABDFAD83500@HE1PR0801MB2058.eurprd08.prod.outlook.com>

On 2017-11-06 13:21, Wilco Dijkstra wrote:
>> In the process of overhauling our feature test macros, I discovered that
>> GCC's libssp implementation of Object Size Checking (-D_FORTIFY_SOURCE=*) is
>> completely broken and possibly unfixable (CVE-2016-4973).  Therefore, it
>> seems the only way to make this work is to integrate it to Newlib itself like
>> other libc's.
> 
> Wouldn't be better to implement a working -ffortify-string-functions feature
> in GCC/LLVM so that the compiler can insert the correct checks?

I have neither the time nor the interest in creating new
compiler/language extensions; I am simply trying to get the ones that
already exist working properly on our targets.

> Hacking all C libraries in the world still won't make the checks work -
> as long as they rely on the broken __builtin_object_size implementation,
> many cases won't be checked even when they should be

PTC?

> The _chk variants also seem unnecessary, I don't understand their purpose.

The __builtin__*_chk builtins (which are limited to the string.h and
basic stdio.h functions) expect corresponding __*_chk functions to be
present.  Also, some __*_chk functions are more extensive than others.

> All you want is to tell GCC to insert runtime checks when it detects the destination
> is an array. You obviously want those checks to be inlined and optimized for
> performance reasons.

Most of the dozens of other functions which have size-checking
implementations in glibc could be handled inline, as those for unistd.h
imported from NetBSD are.  I am already working on some of these
additions, but would like to get the basics into master first.

-- 
Yaakov

Attachment: signature.asc
Description: OpenPGP digital signature

References:
- Re: [PATCH v1 00/10] Add Stack Smashing Protection and Object Size Checking
  - From: Wilco Dijkstra

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]