On 06/28/2017 12:45 AM, Florian Weimer wrote: > * Richard Earnshaw: > >> I can't help but feel there's a bit of a goode olde mediaeval witch hunt >> going on here. As Wilco points out, we can never defend against a >> function that is built without probe operations but skips the entire >> guard zone. The only defence there is a larger guard zone, but how big >> do you make it? > > Right. And in the exploitable cases we have seen, there is a > dynamically sized allocation which the attacker can influence, so it > seems fairly likely that in a partially hardended binary, there could > be another call stack which is exploitable, with a non-hardened > function at the top. > > I think a probing scheme which assumes that if the caller moves the > stack pointer into more than half of the guard area, that's the > callers fault would be totally appropriate in practice. If possible, > callee-only probing for its own stack usage is preferable, but not if > it means instrumenting all functions which use the stack. That position is a surprise Florian :-) I would have expected a full protection position, particularly after the discussions we've had about noreturn functions.
I guess the difference in your position is driven by the relatively high frequency of probing worst case assumptions are going to have on aarch64 with a relatively small vulnerability surface? Which is a fairly stark contrast to the noreturn situation where it rarely, if ever comes up in practice and never on a hot path? Jeff
