On 05/09/2016 04:43 PM, Evgenii Stepanov wrote: > Now, if we want to really preserve this check logic under safestack, > we will have to do something safestack-specific. There is no way to > keep pretending that there is a single, continuous stack region and > still get realistic results.
If you can hide it in lib/platform.h and lib/platform.c, go for it. > 1. Use __builtin_frame_pointer and __builtin___get_unsafe_stack_ptr(). > They are supported whenever safestack is supported and can be > protected with simple preprocessor guards. > 2. Rely on safestack semantics to know which of the two stacks a > variable gets allocated on. This is embedding some knowledge about > safestack implementation (not just the ABI) into the application, but > it relies on the fundamental security promise of safestack and very > unlikely to change. For example, this line in my original patch: > intptr_t volatile stackaddr = (intptr_t)&which; > leaks the address of "which" into a volatile location. Such variables > are guaranteed to be allocated on the "unsafe" stack. It's the _amount_ of stack I'm looking for. And the really vulnerable systems are the nommu ones that only have 64k of stack, but which also make exec more expensive.. > (2) does not seem to have any advantage over (1). Would (1) be acceptable? Is __builtin_frame_pointer mentioned in C99? Is it portable to clang/llvm, and cfront/libfirm or if http://pcc.ludd.ltu.se/ revives or http://landley.net/qcc happens...? If not, lib/portability.* is the place #ifdef THINGY && THINGY code blocks for envrionment-specific stuff. Rob _______________________________________________ Toybox mailing list [email protected] http://lists.landley.net/listinfo.cgi/toybox-landley.net
