Date: Mon, 26 Sep 2016 10:55:16 -0700 From: "LeMay, Michael" <michael.lemay@...el.com> To: musl@...ts.openwall.com, LeMay@...t70.net Subject: Re: [RFC] Support for segmentation-hardened SafeStack On 9/23/2016 03:22, Szabolcs Nagy wrote: > * LeMay, Michael <michael.lemay@...el.com> [2016-09-22 23:00:45 +0000]: >> I submitted several patches to LLVM and Clang to harden SafeStack using segmentation on x86-32 . See  for general background on SafeStack. > ... >>  http://lists.llvm.org/pipermail/llvm-dev/2016-May/100346.html >>  http://clang.llvm.org/docs/SafeStack.html > is all runtime support in the libc with your patches? > (i.e. no static linked interposition code from compiler-rt) For programs linked against my patched version of musl with segmentation-hardened SafeStack enabled, the SafeStack library in compiler-rt is not needed. > > can you call into non-instrumented code? > (as Rich noted this looks like a new abi on i386) > i assume the segmented variant breaks abi while the > non-segmented one does not. Restricting segment limits does introduce additional considerations that are not applicable to the original version of SafeStack, as I described in the reply to Rich that I just sent. > > what is the unsafe stack size of the main thread? > how much is the resource usage overhead? I arbitrarily chose to allocate a main-thread unsafe stack that is twice as large as the main-thread safe stack. The unsafe stack sizes for new threads are computed similarly to the safe stack sizes. I'll post the current revision of my patches soon for the sake of discussion. > > what happens if unsafe stack allocation fails? A limitation of my current patches is that there is no support for dynamically expanding the size of the unsafe stack. By the way, I think that this is also a limitation of the current compiler-rt support for the original version of SafeStack. > how does the stack get deallocated at thread exit? > i assume they are consistent with normal stack > handling if this is done in musl.. except for the > main thread. Yes, the unsafe stack gets deallocated when non-main threads exit. > > can signal handlers work with sigaltstack? That's an interesting question. One thing to consider is that the kernel will only switch the safe stack when sigaltstack is used, not the unsafe stack. Furthermore, for the segmentation-based hardening to apply to the stack passed to sigaltstack, that stack would need to be allocated above the restricted limits of DS and ES. Thanks, Michael
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.