On Fri, May 12, 2017 at 1:45 PM, Russell King - ARM Linux <li...@armlinux.org.uk> wrote: > On Fri, May 12, 2017 at 10:30:44PM +0200, Peter Zijlstra wrote: >> On Fri, May 12, 2017 at 09:21:06PM +0100, Russell King - ARM Linux wrote: >> > On Fri, May 12, 2017 at 12:30:02PM -0700, Kees Cook wrote: >> > > I'm clearly not explaining things well enough. I shouldn't say >> > > "corruption", I should say "malicious manipulation". The methodology >> > > of attacks against the stack are quite different from the other kinds >> > > of attacks like use-after-free, heap overflow, etc. Being able to >> > > exhaust the kernel stack (either due to deep recursion or unbounded >> > > alloca()) >> > >> > I really hope we don't have alloca() use in the kernel. Do you have >> > evidence to support that assertion? >> > >> > IMHO alloca() (or similar) should not be present in any kernel code >> > because we have a limited stack - we have kmalloc() etc for that kind >> > of thing. >> >> On stack variable length arrays get implemented by the compiler doing >> alloca(), and we sadly have a few of those around. > > I hope their size is appropriately limited, but something tells me it > would be foolish to assume that. > >> But yes, fully agreed on the desirability of alloca() and things. > > Hmm, I wonder if -fno-builtin-alloca would prevent those... it looks > like it certainly would prevent an explicit alloca() call.
Building with -Werror=vla is exciting. :) A lot of it is in crypto (which are relatively static sizes, just using function callbacks), but there is plenty more. -Kees -- Kees Cook Pixel Security
