On 2023-12-02 04:42, Martin Uecker wrote:
Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk?
-- >8 --
It came up that a good hardening strategy is to disable trampolines
which may require executable stack. Therefore the following patch
adds -Werror=trampolines to -fhardened.
This would add a warning about specific code (where it is then
unclear whether rewriting it is feasible or even an improvement),
which seems different to all the other flags -fhardening has
now.
It's actually -Werror=trampolines, not just -Wtrampolines; the aim is to
hard fail on producing trampolines and consequently, an executable
stack. In general the goal of -fhardened is to produce hardened code
and the nested function trampolines do the exact reverse of that, so
-Werror=trampolines seems to align perfectly with that goal, doesn't it?
GCC now has an option to allocate trampolines on the heap,
which would seem to be a better fit. On the other hand,
it does not work with longjmp which may be a limitation.
For hardened code in C, I think we really should look to step away from
nested functions instead of adding ways to continue supporting it.
There's probably a larger conversation to be had about the utility of
nested functions in general for C (and whether this GCC extension should
be deprecated altogether in future), but I feel like the -fhardened
subset gives us the opportunity to enforce at least a safe subset for
now, possibly extending it in future.
Thanks,
Sid
