This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [RFC] nptl: change default stack guard size of threads

From: Florian Weimer <fweimer at redhat dot com>
To: Wilco Dijkstra <Wilco dot Dijkstra at arm dot com>, Szabolcs Nagy <Szabolcs dot Nagy at arm dot com>, GNU C Library <libc-alpha at sourceware dot org>
Cc: nd <nd at arm dot com>, Jeff Law <law at redhat dot com>, Richard Earnshaw <Richard dot Earnshaw at arm dot com>, Rich Felker <dalias at libc dot org>, James Greenhalgh <James dot Greenhalgh at arm dot com>
Date: Wed, 6 Dec 2017 14:16:08 +0100
Subject: Re: [RFC] nptl: change default stack guard size of threads
Authentication-results: sourceware.org; auth=none
References: <5A1ECB40.9080801@arm.com> <76c38ecf-6497-c96c-5c8c-95cceed100a5@redhat.com> <5A1EFF28.9050406@arm.com> <5c796246-1907-8cf4-00fc-eee11614b092@redhat.com> <HE1PR0801MB205834BDB77C2208C953FD2E833B0@HE1PR0801MB2058.eurprd08.prod.outlook.com>

On 11/29/2017 11:28 PM, Wilco Dijkstra wrote:

It's not related to what GLIBC needs, but GLIBC, like Linux, must continue to
run old binaries so a larger guard size is definitely beneficial. No existing code
uses probing, so increasing the guard size means far fewer functions could
jump the guard.  The dropoff is exponential, each doubling of guard page size
halves the number of functions with a stack larger than the guard size.

That's not actually true in the sense that the math doesn't work outthat way. If you have a weird function which skips by a really largeamount, you can double the guard size many, many times until the numberof unprotected functions drops further.

And there is definitely a long tail here, due to GNU's affinity tovariable-length arrays and alloca.

That's why Linux went for a 1MB guard size.

The original intent was to ship only a kernel patch and not change ld.soat all. Qualys did some math to support their recommendation, but itturns out the 1 MiB guard size is insufficient to protect ld.so on somearchitectures. That's why we had to patch ld.so, too.

So far, I haven't seen a strong argument that 64 KiB is better than 32KiB, or that switching to 96 KiB or 128 KiB would not provide additionalprotection. To me, it's still an arbitrary number.

Based on the ld.so experience, I think it is questionable that existingvulnerable applications can be fixed by increasing the guard size. Ourexpectation is that we have to recompile with -fstack-clash-protectionto get deterministic crashes (which we are doing with glibc), or topatch them to avoid the stack jump (which we did for ld.so because theGCC support wasn't available at the time).


Thanks,
Florian

Follow-Ups:
- Re: [RFC] nptl: change default stack guard size of threads
  - From: Joseph Myers
- Re: [RFC] nptl: change default stack guard size of threads
  - From: Wilco Dijkstra

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]