This is the mail archive of the
mailing list for the glibc project.
Re: [PATCH v4] aarch64: enforce >=64K guard size
On 16/07/18 10:35, Florian Weimer wrote:
* Szabolcs Nagy:
On 14/07/18 15:02, Florian Weimer wrote:
* Szabolcs Nagy:
There are several compiler implementations that allow large stack
allocations to jump over the guard page at the end of the stack and
corrupt memory beyond that. See CVE-2017-1000364.
Compilers can emit code to probe the stack such that the guard page
cannot be skipped, but on aarch64 the probe interval is 64K by default
instead of the minimum supported page size (4K).
This patch enforces at least 64K guard on aarch64 unless the guard
is disabled by setting its size to 0. For backward compatibility
reasons the increased guard is not reported, so it is only observable
by exhausting the address space or parsing /proc/self/maps on linux.
Is there anything special in the aarch64 probing sequence that
*requires* that the guard is 64 KiB, or is it just that it is not
effective if it is not?
it's not effective (the probe interval is 64k)
Then I don't understand why it's necessary to override an explicitly
specified guard size. Changing the default should be sufficient.
on aarch64 safe behaviour is only guaranteed if the
guard is >=64k, a smaller guard does not guard against
stack overflow, so what's the point of a smaller guard?
user code cannot reason about stack usage in any sensible
way so it cannot be smart about the guard size, yet there
is lot of existing code setting the guard size explicitly
to a single page. the only effect of granting those
settings is to make code unsafe on systems with smaller
than 64k page size.
with the proposed patch all conforming posix code is safe
in case of stack overflow (segfaults), except code that
runs on user allocated stack, i think this is a reasonable
guarantee to provide.