[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[egallager at gcc dot gnu.org via Gcc-bugs]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

Eric Gallager  changed:

   What|Removed |Added

 CC||mpolacek at gcc dot gnu.org

--- Comment #27 from Eric Gallager  ---
Marek Polacek has had a new idea to have it be enabled by the new -fhardened
flag instead:
https://gcc.gnu.org/pipermail/gcc-patches/2023-December/638987.html

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[muecker at gwdg dot de via Gcc-bugs]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

Martin Uecker  changed:

   What|Removed |Added

 CC||muecker at gwdg dot de

--- Comment #26 from Martin Uecker  ---

I would be nice to have a way to avoid executable code while still being able
to use this feature (which is useful!).

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[sjames at gcc dot gnu.org via Gcc-bugs]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

Sam James  changed:

   What|Removed |Added

 CC||sjames at gcc dot gnu.org

--- Comment #25 from Sam James  ---
fwiw Gentoo and Alpine have been doing this for many, many years

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[mark at gcc dot gnu.org via Gcc-bugs]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #24 from Mark Wielaard  ---
(In reply to Eric Gallager from comment #23)
> (In reply to Mark Wielaard from comment #22)
> > (In reply to Eric Gallager from comment #21)
> > > (In reply to Mark Wielaard from comment #20)
> > > > https://gcc.gnu.org/ml/gcc-patches/2018-11/msg02055.html
> > > 
> > > Did this make it in? If not, have you pinged it lately?
> > 
> > No, there was some review, I think we are generally good, but I am waiting
> > for stage1 to open.
> 
> Stage1 has opened.

And it has opened again. So this comment is mostly for myself to not forget
about this again (and again...)

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[egallager at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #23 from Eric Gallager  ---
(In reply to Mark Wielaard from comment #22)
> (In reply to Eric Gallager from comment #21)
> > (In reply to Mark Wielaard from comment #20)
> > > https://gcc.gnu.org/ml/gcc-patches/2018-11/msg02055.html
> > 
> > Did this make it in? If not, have you pinged it lately?
> 
> No, there was some review, I think we are generally good, but I am waiting
> for stage1 to open.

Stage1 has opened.

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[mark at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #22 from Mark Wielaard  ---
(In reply to Eric Gallager from comment #21)
> (In reply to Mark Wielaard from comment #20)
> > https://gcc.gnu.org/ml/gcc-patches/2018-11/msg02055.html
> 
> Did this make it in? If not, have you pinged it lately?

No, there was some review, I think we are generally good, but I am waiting for
stage1 to open.

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[egallager at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #21 from Eric Gallager  ---
(In reply to Mark Wielaard from comment #20)
> https://gcc.gnu.org/ml/gcc-patches/2018-11/msg02055.html

Did this make it in? If not, have you pinged it lately?

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[mark at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #20 from Mark Wielaard  ---
https://gcc.gnu.org/ml/gcc-patches/2018-11/msg02055.html

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[mark at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #19 from Mark Wielaard  ---
I think we are just talking past each other because we don't fully agree when
the warning should trigger and whether it is (trivial and/or) desirable to
avoid that specific corner case.

We do agree that nested functions are a useful C language extension and I am
using them extensively in my own code. The only corner case I would avoid is
when taking a nested function pointer escapes the current lexical context and
when calling that function pointer would need access to some lexical context
variables (because it will generate something that isn't a real simple function
pointer and it is hard to reason about when calling it is safe). Which is
precisely when -Wtrampolines triggers whenever that requires creating an
executable trampoline on the stack. IMHO it is easy to rewrite any code that
does that to pass around the bare function pointer plus context, which is what
I showed in my example (indeed by rewriting h also). You argue that this would
only be an issue if the stack was non-executable by default already.

I am fine with only triggering the warning with -Wall when otherwise the stack
would silently be marked as executable. The only problem is that there
currently is no target macro that can easily be used to tell whether or not a
target has the stack non-executable by default. So we would have to introduce
that.

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[segher at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #18 from Segher Boessenkool  ---
Your "trivial rewrite" does not work at all (you didn't modify "h").

It isn't trivial to avoid this warning at all, which was half of my point.

The other half is that we should not warn that the normal use of a GCC C
extension would be "bad" or a "security problem" when it is neither.  Yes,
marking the whole stack executable for the whole lifetime of a process when
something in your program may use a trampoline is less than optimal, may
make some exploits easier to pull off.  But that is all.

Making -Wall complain about it in all cases will only result in more people
not using nested functions, although those are a useful C language extension
(and required for some other languages, so GCC has to implement it *anyway*),
while not actually giving them any more security.

Nested functions are not insecure.  Trampolines are not insecure.  Executable
trampolines are not insecure.  Executable trampolines on the stack are not
insecure.  Executable *everything* on the stack is not insecure, on many
architectures.  The only thing is that having the whole stack executable makes
it easier to exploit other problems, on other architectures.

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[mark at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #17 from Mark Wielaard  ---
(In reply to Segher Boessenkool from comment #16)
> Something as trivial as this
> 
> ===
> void h(int (*)(void));
> void f(int x)
> {
> int g(void) { return x; }
> h(g);
> }
> ===
> 
> will already do.  *Anything* that needs trampolines will do.

Sure, if you pass around a nested function pointer that captures context that
the compiler cannot inline because it is passed to another function that cannot
capture that same context.

I just haven't seen any code base that does that. That is why I was asking for
a concrete example.

But I know it is possible to accidentally do this and that is why I like the
have -Wall/-Wtrampolines warn about it. The above example can trivially be
rewritten to not give the warning:

void h(int (*)(int), int);
void f(int x)
{
 int g(int i) { return i; }
 h(g, x);
}

And I believe that is what normally people would want. Having
-Wall/-Wtrampolines warn about it when they make the mistake of writing code
that would require executable code on the stack when they use nested functions.

I could be wrong of course, I might not have enough imagination to appreciate
that what I believe is the correct/trivial way to rewrite the code to avoid the
warning (and potential security issue) is in fact a real burden in some
environments.

Is your objection to add -Wtrampolines to -Wall because you have actual code
that would be hard to rewrite to avoid the warning? Or is it just that you
believe it should not be a default warning on some targets (those which already
have the security issue of having a default executable stack)?

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[segher at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #16 from Segher Boessenkool  ---
Something as trivial as this

===
void h(int (*)(void));
void f(int x)
{
int g(void) { return x; }
h(g);
}
===

will already do.  *Anything* that needs trampolines will do.

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[mark at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #15 from Mark Wielaard  ---
(In reply to Segher Boessenkool from comment #14)
> It is very hard to avoid the warning if you use this feature (you need to
> stop using the feature altogether!), which would disqualify it for -Wall
> immediately

Could you give an example of a program where you see -Wtrampolines produce a
warning that you believe you cannot easily work around to silence it? In
practice I found the warning almost never triggers even in code that uses
nested functions a lot since it is only when there is a need to generate
executable code on the stack that it shows up.

> -Wtrampolines as it currently is does not belong in -Wall.

I think it would be more useful if done generically, but I don't mind not
adding it to -Wall for targets you feel strongly about should not have it. I
just don't know which guard to use to skip targets which explicitly make their
stack always executable.

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[segher at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #14 from Segher Boessenkool  ---
It is *not* a security issue for many environments, and the warning warns
whenever you use a useful feature.

It is very hard to avoid the warning if you use this feature (you need to
stop using the feature altogether!), which would disqualify it for -Wall
immediately, except you may say "but the security impact is so important".
Since the security impact is zero for many environments, that is not a good
argument.

-Wtrampolines as it currently is does not belong in -Wall.

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[mark at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #13 from Mark Wielaard  ---
(In reply to Segher Boessenkool from comment #12)
> Requiring everything on the stack to always be executable, while normally it
> is
> not, is an issue, sure.
> 
> Requiring the stack to be executable when *everything* is executable
> *always*,
> is not an issue.

I think we are talking past each other.
-Wtrampolines warns about putting executable code on the stack, which is a
questionable construct (that almost never happens, because it would only happen
with specific uses of nested functions where taking the address of such a
function is put into an environment that need an executable code trampoline put
on on the stack) but that you would like to know about so you can avoid it
because it also is a security issue and easy to avoid if you know it is
happening, which is why it should be added to -Wall.

You seem to argue that -Wtrampolines should warn differently for different
targets (or that -Wtrampolines should only be added to -Wall for certain
targets, but not others). I am not sure it really should be treated
differently, it is a questionable code construct whether or not the stack is
already executable or not IMHO.

I think it would be helpful if you gave a concrete example where having
-Wtrampolines in -Wall would produce the warning for a specific piece of code
where you think it shouldn't. Do you have a specific program for a specific
target in mind?

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[segher at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #12 from Segher Boessenkool  ---
Requiring everything on the stack to always be executable, while normally it is
not, is an issue, sure.

Requiring the stack to be executable when *everything* is executable *always*,
is not an issue.

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[mark at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #11 from Mark Wielaard  ---
(In reply to Segher Boessenkool from comment #10)
> As I said, very many targets have no concept of "executable" at all.
> Most of the *-elf targets, most (all?) of the *-aout targets.
> 
> Not all of the world is Linux.

But generating code on the stack requiring an executable stack is a security
issue. If only because by creating executable that need that prevent the target
from adopting a non-executable stack.

> -Wall is only for *easy to avoid* warnings, which -Wtrampolines very much
> is not:
> 
> '-Wall'
>  This enables all the warnings about constructions that some users
>  consider questionable, and that are easy to avoid (or modify to
>  prevent the warning), even in conjunction with macros.

I just don't agree I think. This is a warning about a generally frowned upon
use of a corner case of a GNU extension. The warning is just about that
specific questionable construct (taking a pointer of a nested function and
passing it around for use in a way that GCC cannot simply inline its usage)
that cause a security issue (generation of on-stack executable code).

It would really be helpful if you could point to a concrete example where this
specific usage causes a warning with -Wtrampoline which is not correct.

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[segher at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #10 from Segher Boessenkool  ---
As I said, very many targets have no concept of "executable" at all.
Most of the *-elf targets, most (all?) of the *-aout targets.

Not all of the world is Linux.


-Wall is only for *easy to avoid* warnings, which -Wtrampolines very much
is not:

'-Wall'
 This enables all the warnings about constructions that some users
 consider questionable, and that are easy to avoid (or modify to
 prevent the warning), even in conjunction with macros.

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[mark at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #9 from Mark Wielaard  ---
(In reply to Segher Boessenkool from comment #5)
> The documentation currently says
> 
> '-Wtrampolines'
>  Warn about trampolines generated for pointers to nested functions.
>  A trampoline is a small piece of data or code that is created at
>  run time on the stack when the address of a nested function is
>  taken, and is used to call the nested function indirectly.  For
>  some targets, it is made up of data only and thus requires no
>  special treatment.  But, for most targets, it is made up of code
>  and thus requires the stack to be made executable in order for the
>  program to work properly.
> 
> This isn't true if the trampoline is just data, if your reading in comment 2
> is correct.

The documentation can be improved for sure. It doesn't make explicit that the
warning is only when a trampoline is generated that is code placed on the stack
(which might require the stack to be made executable on some targets). But a
strict reading might suggest that it also warns in other cases. Lets just
improve the documentation.

> This isn't something to warn about (or at least not in -Wall or -W) if
> executable code on the stack does not open up security concerns.
> 
> For how to detect it, you can start at varasm.c:file_end_indicate_exec_stack
> ,
> which isn't exactly what is needed, but you can start there.  Or perhaps
> builtins,c:expand_builtin_init_trampoline is better.

You mean move the warning to some later point? I am not sure that is a good
idea because then you loose the diagnostic location of the code.

In general I do agree with comment #6. If at all possible we should make the
warning generic. Generating code on the stack is a bad thing in general whether
or not the stack is already executable or not IMHO.

It would be helpful if you could show a concrete example of -Wtrampolines
giving a warning where it is wrong to warn. What specific target are you
concerned about?

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[fw at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #8 from Florian Weimer  ---
(In reply to Segher Boessenkool from comment #7)
> The number of targets where such a warning is meaningless is _big_, that is
> the point (most of the (older) embedded targets).

There are a lot of targets which were once read-implies-exec, but have later
implementations which are not.

I guess the dealbreaker is whether GCC emits code or markers to make the stack
executable.  If it does that, it should warn.

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[segher at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #7 from Segher Boessenkool  ---
The number of targets where such a warning is meaningless is _big_, that is
the point (most of the (older) embedded targets).

If the warning warns where there is no problem, it does not belong in -Wall
or -Wextra.

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[fw at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #6 from Florian Weimer  ---
I'm not a fan of target-specific warnings.  In this case, the number of targets
where this the warning would not be appropriate would be vanishingly small,
though, so I do not think this is a problem in practice.

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[segher at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #5 from Segher Boessenkool  ---
The documentation currently says

'-Wtrampolines'
 Warn about trampolines generated for pointers to nested functions.
 A trampoline is a small piece of data or code that is created at
 run time on the stack when the address of a nested function is
 taken, and is used to call the nested function indirectly.  For
 some targets, it is made up of data only and thus requires no
 special treatment.  But, for most targets, it is made up of code
 and thus requires the stack to be made executable in order for the
 program to work properly.

This isn't true if the trampoline is just data, if your reading in comment 2
is correct.

This isn't something to warn about (or at least not in -Wall or -W) if
executable code on the stack does not open up security concerns.

For how to detect it, you can start at varasm.c:file_end_indicate_exec_stack ,
which isn't exactly what is needed, but you can start there.  Or perhaps
builtins,c:expand_builtin_init_trampoline is better.

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[mark at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #4 from Mark Wielaard  ---
I think the point of the warning is to note that executable code is generated
on the stack (which seems to always be something to warn about IMHO).

But I am fine with only enabling -Wtrampolines with -Wall for targets that 
explicitly need an executable stack for that. What is the correct way to detect
the target needs that?

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[segher at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #3 from Segher Boessenkool  ---
It is good that it doesn't warn if trampolines are not data.  This is not
documented, fwiw.

It also warns if the stack is executable *anyway*, like it is for many
targets.  This is not useful; as documented, the point of the warning is
to warn the user that the stack is made executable because some trampoline
somewhere needs it.  Not warn the user that there is a trampoline
somewhere(*), which would be as useful as warning the user that the program
source code is a multiple of six lines long, which is exactly as harmful :-P


(*) Which, as you say, is not what it does anyway!

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[mark at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

--- Comment #2 from Mark Wielaard  ---
(In reply to Segher Boessenkool from comment #1)
> This also would warn for targets where it is not an issue at all (where
> trampolines are just data, or where the stack is executable anyway, or where
> there is no such "executable" concept at all, for example).

Do you have an example where -Wtrampolines warns unnecessarily?

I might be reading the code wrong, but the trampolines warning is guarded by
on_stack and targetm.calls.custom_function_descriptors != 0. So I believe it
wouldn't warn in case the trampoline is generated on the heap or if the target
uses descriptors for nested functions (which eliminates the need for
trampolines that reside on the stack and require it to be made executable).

[Bug c/88088] -Wtrampolines should be enabled by -Wall (or -Wextra)

[segher at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88088

Segher Boessenkool  changed:

   What|Removed |Added

 CC||segher at gcc dot gnu.org

--- Comment #1 from Segher Boessenkool  ---
This also would warn for targets where it is not an issue at all (where
trampolines are just data, or where the stack is executable anyway, or where
there is no such "executable" concept at all, for example).