more -fstack-protector!
Andrew Bartlett
abartlet at samba.org
Thu Mar 7 03:20:24 MST 2013
On Thu, 2013-03-07 at 10:51 +0100, Andreas Schneider wrote:
> On Thursday 07 March 2013 13:09:58 Andrew Bartlett wrote:
> > On Wed, 2013-03-06 at 19:08 -0500, Ira Cooper wrote:
> > > On Wed, Mar 6, 2013 at 6:16 PM, Andrew Bartlett <abartlet at samba.org>
> wrote:
> > > > On Wed, 2013-03-06 at 09:22 -0500, Ira Cooper wrote:
> > > > > This patch adds the ability to:
> > > > >
> > > > > --disable-stack-protector (For those who don't want it.)
> > > > > --enable-stack-protector-all (For debugging or the paranoid.)
> > > > >
> > > > > Both builds have been tested locally on illumos. (As far as that they
> > > > > build.)
> > > > >
> > > > > In the future, please don't default flags like this, without a toggle
> > > > > to
> > > > > turn them off.
> > > >
> > > > On a more meta level:
> > > >
> > > > In Samba, with very, very few fixed-length strings on the stack (die,
> > > > pstring, die), where does -fstack-protector help? Can we get some
> > > > diagnostics as to where this is being applied, such that the cost 1%
> > > > cost is showing up?
> > >
> > > Sorry,
> > >
> > > I've got other things to work on. The only reason I actually jumped in at
> > > all was it broke my build, and then I realized I only 1/2 fixed what was
> > > wrong, so I mopped up my work.
> > >
> > > Others appear to have a better grasp on what is going on. I just want a
> > > way to turn it off.
> >
> > You suggested this option has a speed cost. I'm at the very least
> > asking that you detail that.
>
> fstack-protector puts a canary value on the stack of key functions. Just
> before the return address and just before returning from that value, that
> canary value is verified. If there was a buffer overflow, the canary no longer
> matches and the program aborts. The canary value is random for each time the
> application is started and makes it impossible to guess remotely.
>
> The speed cost is setting and checking the canary...
It seems incredible to me that this, if properly applied (eg the
criteria we discuss below) can really cost 1%, which is why I'm wanting
detail.
> Red Hat and SUSE are are using it by default ...
>
> > I don't like having any more configure options that we absolutely have
> > to have, because each of them has to be tested somehow. Where at all
> > possible we should just do the right thing, whatever that is.
> >
> > As such, I would like detail from you and from those who added this in
> > the first place as to what the costs and specific benefits are.
>
> It is a stack smash protection.
Given the way we handle strings and buffers in Samba, can you point at
the buffers you think might be subject to such an attack?
> > In particular, what array declarations 'buffers larger than 8 bytes'
> > does the compiler see in our hot path?
>
> I don't see what this has todo with buffers larger than 8 bytes. This is for
> buffer overflow detection for any buffer.
That is a quote from the GCC manpage on my Fedora 17 box. I take it
that this is the default criteria for it guessing that a buffer is a
string or something a bad memcpy() might be aimed at, rather than just
integers (for example), and so to apply this protection to that
particular function:
-fstack-protector
Emit extra code to check for buffer overflows, such as stack
smashing attacks. This is done by adding a guard variable to functions
with vulnerable objects. This includes
functions that call alloca, and functions with buffers larger
than 8 bytes. The guards are initialized when a function is entered and
then checked when the function exits.
If a guard check fails, an error message is printed and the
program exits.
-fstack-protector-all
Like -fstack-protector except that all functions are
protected.
If this really has a 1% cost (which seems high, and now I can't find the
reference where I thought that was stated), I would like to see the
intersection between the hot path and functions that need stack smash
protection, to see if we might find a way to avoid it on those hot paths
(perhaps with some small re-factor, or assistance to upstream GCC to be
smarter).
Or, if this really doesn't have a high cost on subsequent analysis or
because I've miss-remembered or imagined it, I would prefer we just
enable it, rather than add even more options.
I say this because on the whole, I didn't think we used many
stack-allocated fixed length buffers in the post fstring/pstring era.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list