Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4b5d9700-1550-3276-65c4-bd3072db24f6@intel.com>
Date: Tue, 27 Sep 2016 14:35:33 -0700
From: "LeMay, Michael" <michael.lemay@...el.com>
To: Rich Felker <dalias@...c.org>
Cc: "musl@...ts.openwall.com" <musl@...ts.openwall.com>
Subject: Re: [RFC] Support for segmentation-hardened SafeStack

On 9/27/2016 07:43, Rich Felker wrote:
> On Mon, Sep 26, 2016 at 11:05:06PM -0700, LeMay, Michael wrote:
...
>> Arguments, whether variadic or not, are still passed on the main
>> (safe) stack like usual, and they can be used in-place.
> Here I think we're just differing on what "used in-place" means. For
> me that would include the ability to take their addresses. I assume
> you're just talking about using the values.

I see your point now.  Yes, when SafeStack determines that a local 
variable or argument may be accessed unsafely, it moves or copies 
(respectively) that allocation to the unsafe stack.  Incidentally, I 
thought that just taking the address of a local variable or argument 
(e.g. for pointer comparisons within a single function) would not 
necessarily result in it being moved to the unsafe stack, but re-reading 
the SafeStack pass and running some tests showed me that the pass 
currently does move such allocations to the unsafe stack.

...
>
> This is another place where I think we're just using terms
> differently. From my perspective (the formal C language) variadic
> argument handling does not involve taking or dereferencing addresses
> on the stack; those are just va_list/va_arg implementation details. At
> the level of the formal language I think there are no exceptions; in
> all cases where the address on "the stack" leaks outside the scope of
> what the compiler can see/control, "the stack" it's on has to be the
> unsafe stack.

Yes, we're in agreement.  For completeness, I'll note that there are 
other ways for safe stack pointers to leak: 
http://clang.llvm.org/docs/SafeStack.html#known-security-limitations

Thanks,
Michael

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.