Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20200130145603.GW22482@gate.crashing.org>
Date: Thu, 30 Jan 2020 08:56:03 -0600
From: Segher Boessenkool <segher@...nel.crashing.org>
To: Rich Felker <dalias@...c.org>
Cc: Sergei Trofimovich <slyfox@...too.org>, musl@...ts.openwall.com,
        libc-alpha@...rceware.org, gcc@....gnu.org, toolchain@...too.org
Subject: Re: musl, glibc and ideal place for __stack_chk_fail_local

On Thu, Jan 30, 2020 at 08:37:40AM -0500, Rich Felker wrote:
> On Thu, Jan 30, 2020 at 06:33:51AM -0600, Segher Boessenkool wrote:
> > On Sat, Jan 25, 2020 at 10:54:24AM -0500, Rich Felker wrote:
> > > > To support smash stack protection gcc emits __stack_chk_fail
> > > > calls on all targets. On top of that gcc emits __stack_chk_fail_local
> > > > calls at least on i386 and powerpc:
> > 
> > (Only on 32-bit -fPIC -msecure-plt, for Power).
> 
> Right, but musl only supports the secure-plt ABI.

Sure, it is the modern one.  Still only for 32-bit -fPIC for musl, too.

> > > There is a half-serious proposal to put it in crti.o which is always
> > > linked too, but that seems like an ugly hack to me...
> > 
> > Not *very* ugly, but it would be very effective, and no real downsides
> > to it (or do you see something?)
> 
> Well either the thunk has to be written in asm per-arch, or some ld -r
> magic (which is fragile and something I don't want musl to depend on
> since I know users will someday hit breakage and rightfully blame us
> for using ld -r) to merge an asm source and C source. Or perhaps the
> existing crti.s content could be moved to file-scope __asm__ included
> in the C source file...that might be ok?

At least for powerpc, the existing crti.s gets stuff inserted after (in
both functions), and then closed off by crtn.s -- not something you want
to do in C :-)

GCC can just say to also use extra crti files -- see STARTFILE_SPEC.
Many platforms do that already.

> > On Power it is just the setting up itself that is costly (in the config
> > where we have this _local thing).
> 
> I think it'd be the same.

We don't have a shortage of usable registers, that's what I was getting at.
All the other arguments are similar, sure.

> > > Absolutely not. libssp is unsafe and creates new vulns/attack surface
> > > by doing introspective stuff after the process is already *known to
> > > be* in a compromised state. It should never be used. musl's
> > > __stack_chk_fail is safe and terminates immediately.
> > 
> > Some implementations even print strings from the stack, it can be worse ;-)
> 
> :-)

It wasn't a joke, unfortunately.

> > > Ideally, though, GCC would just emit the termination inline (or at
> > > least have an option to do so) rather than calling __stack_chk_fail or
> > > the local version. This would additionally harden against the case
> > > where the GOT is compromised.
> > 
> > Yeah, but how to terminate is system-specific, it's much easier to punt
> > this job to the libc to do ;-)
> 
> My ideas was __builtin_trap, although a slightly more hardened version
> (that might make users unhappy? :) is inlining a syscall to
> sigprocmask to mask SIGILL/SIGSEGV before the trapping instruction so
> that termination occurs regardless of whether there's a signal handler
> installed.

I think we should make this a separate RTL pattern?  Or a (noreturn)
libgcc function?  Anyway, let's talk in the PR :-)

> > Open a GCC PR for this please?
> 
> Filed as https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93509

Thanks!


Segher

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.