Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 1 Feb 2019 14:36:24 -0800
From: Andy Lutomirski <>
To: Thomas Garnier <>
Cc: Andy Lutomirski <>,
 Kernel Hardening <>,
 Kristen Carlson Accardi <>,
 Thomas Gleixner <>, Ingo Molnar <>,
 Borislav Petkov <>, "H. Peter Anvin" <>,
 X86 ML <>, Masahiro Yamada <>,
 Juergen Gross <>, Joerg Roedel <>,
 Jia Zhang <>,
 Konrad Rzeszutek Wilk <>,
 Tim Chen <>, LKML <>
Subject: Re: [PATCH v6 20/27] x86: Support global stack cookie

> On Feb 1, 2019, at 12:21 PM, Thomas Garnier <> wrote:
>> On Fri, Feb 1, 2019 at 11:27 AM Andy Lutomirski <> wrote:
>>> On Thu, Jan 31, 2019 at 11:29 AM Thomas Garnier <> wrote:
>>> Add an off-by-default configuration option to use a global stack cookie
>>> instead of the default TLS. This configuration option will only be used
>>> with PIE binaries.
>>> For kernel stack cookie, the compiler uses the mcmodel=kernel to switch
>>> between the fs segment to gs segment. A PIE binary does not use
>>> mcmodel=kernel because it can be relocated anywhere, therefore the
>>> compiler will default to the fs segment register. This is fixed on the
>>> latest version of gcc.
>> I hate all these gcc-sucks-so-we-hack-it-and-change-nasty-semantics
>> options.  How about just preventing use of both stack protector and
>> PIE unless the version of gcc in use is new enough.
> So fail the build in this scenario?

Fail the build or use some Kconfig magic to prevent this from being configured in the first place.

>> Also, does -mstack-protector-guard-reg not solve this?  See
>>  Or is there
>> another bug?  Or are you worried about gcc versions that don't have
>> that feature yet?
> I am worried about gcc versions that don't have this feature, yes.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.