Quantcast

What do the different stack-protector levels protect in Clang?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

What do the different stack-protector levels protect in Clang?

Lang Hames via cfe-dev
Hello,

I see documentation out there for the levels of stack-protector in GCC: Regular protects functions that have buffers or that use alloca(), all protects all functions, strong protects functions with the conditions listed in para 3 in this doc: https://docs.google.com/document/d/1xXBH6rRZue4f296vGt9YQcuLVQHeE516stHwt8M9xyU/editAlso, in GCC, stack-protector puts variables below buffers on the stack (i.e., higher up the stack).

I'm having trouble finding similar documentation for Clang. (Even if it's just an official statement that "Clang does the same thing as GCC.")

Thanks!



_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: What do the different stack-protector levels protect in Clang?

Lang Hames via cfe-dev
Is this https://clang.llvm.org/docs/ClangCommandLineReference.html what you are looking at?
Under the Clang source directory, `grep -r "stack-protector" docs/*` gives the following result:

  docs/ClangCommandLineReference.rst:.. option:: -fstack-protector, -fno-stack-protector
  docs/ClangCommandLineReference.rst:.. option:: -fstack-protector-all
  docs/ClangCommandLineReference.rst:.. option:: -fstack-protector-strong
  docs/DiagnosticsReference.rst:-Wstack-protector

​Or you can goole with "stack protector site:http://lists.llvm.org/pipermail/cfe-dev/" to find something
on the cfe-dev mailing list. I think that's all you can find.

Regards,
chenwj


2017-04-28 1:20 GMT+08:00 Yaron Shragai via cfe-dev <[hidden email]>:
Hello,

I see documentation out there for the levels of stack-protector in GCC: Regular protects functions that have buffers or that use alloca(), all protects all functions, strong protects functions with the conditions listed in para 3 in this doc: https://docs.google.com/document/d/1xXBH6rRZue4f296vGt9YQcuLVQHeE516stHwt8M9xyU/editAlso, in GCC, stack-protector puts variables below buffers on the stack (i.e., higher up the stack).

I'm having trouble finding similar documentation for Clang. (Even if it's just an official statement that "Clang does the same thing as GCC.")

Thanks!



_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev




--
Wei-Ren Chen (陳韋任)
Homepage: https://people.cs.nctu.edu.tw/~chenwj

_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: What do the different stack-protector levels protect in Clang?

Lang Hames via cfe-dev
A typo in my OP broke the link to the document on Google Docs.  Here is the link:
https://docs.google.com/document/d/1xXBH6rRZue4f296vGt9YQcuLVQHeE516stHwt8M9xyU/edit

Here is more specifically what I am looking for:
In GCC, it is published that the stack protector option levels do the following things (this is in the linked document):
-fno-stack-protector: No protection.
-fstack-protector: Protection for functions in which either of the following is true:
   * The function uses alloca
   * There is a char array that is bigger than 8 bytes (actually, bigger than whatever SSP_BUFFER_SIZE is)
-fstack-protector-all: Protection for all functions - no heuristic.
-fstack-protector-strong: Protection for functions in which any of the following is true:
   * Any the address of any local variable used in the RHS of an assignment
   * Any local variable is passed by reference to a function
   * There is *any* array, regardless of array type or length
   * There is a struct/union containing an array
   * There are register local variables

(Also, the stack data is rearranged such that variables are at lower addresses than buffers.)

What about on Clang? What specifically does -fstack-protector protect? What specifically does -fstack-protector-strong protect?  Is it exactly the same definition as in GCC?

Thanks!


On Thu, Apr 27, 2017 at 4:14 PM, 陳韋任 <[hidden email]> wrote:

>
> Is this https://clang.llvm.org/docs/ClangCommandLineReference.html what you are looking at?
> Under the Clang source directory, `grep -r "stack-protector" docs/*` gives the following result:
>
>   docs/ClangCommandLineReference.rst:.. option:: -fstack-protector, -fno-stack-protector
>   docs/ClangCommandLineReference.rst:.. option:: -fstack-protector-all
>   docs/ClangCommandLineReference.rst:.. option:: -fstack-protector-strong
>   docs/DiagnosticsReference.rst:-Wstack-protector
>
> Or you can goole with "stack protector site:http://lists.llvm.org/pipermail/cfe-dev/" to find something
> on the cfe-dev mailing list. I think that's all you can find.
>
> Regards,
> chenwj
>
>
> 2017-04-28 1:20 GMT+08:00 Yaron Shragai via cfe-dev <[hidden email]>:
>>
>> Hello,
>>
>> I see documentation out there for the levels of stack-protector in GCC: Regular protects functions that have buffers or that use alloca(), all protects all functions, strong protects functions with the conditions listed in para 3 in this doc: https://docs.google.com/document/d/1xXBH6rRZue4f296vGt9YQcuLVQHeE516stHwt8M9xyU/editAlso, in GCC, stack-protector puts variables below buffers on the stack (i.e., higher up the stack).
>>
>> I'm having trouble finding similar documentation for Clang. (Even if it's just an official statement that "Clang does the same thing as GCC.")
>>
>> Thanks!
>>
>>
>>
>> _______________________________________________
>> cfe-dev mailing list
>> [hidden email]
>> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>>
>
>
>
> --
> Wei-Ren Chen (陳韋任)
> Homepage: https://people.cs.nctu.edu.tw/~chenwj
_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: What do the different stack-protector levels protect in Clang?

Lang Hames via cfe-dev
In reply to this post by Lang Hames via cfe-dev
A typo in my OP broke the link to the document on Google Docs.  Here is the link:
https://docs.google.com/document/d/1xXBH6rRZue4f296vGt9YQcuLVQHeE516stHwt8M9xyU/edit

Here is more specifically what I am looking for:
In GCC, it is published that the stack protector option levels do the following things (this is in the linked document):
-fno-stack-protector: No protection.
-fstack-protector: Protection for functions in which either of the following is true:
   * The function uses alloca
   * There is a char array that is bigger than 8 bytes (actually, bigger than whatever SSP_BUFFER_SIZE is)
-fstack-protector-all: Protection for all functions - no heuristic.
-fstack-protector-strong: Protection for functions in which any of the following is true:
   * Any the address of any local variable used in the RHS of an assignment
   * Any local variable is passed by reference to a function
   * There is *any* array, regardless of array type or length
   * There is a struct/union containing an array
   * There are register local variables

(Also, the stack data is rearranged such that variables are at lower addresses than buffers.)

What about on Clang? What specifically does -fstack-protector protect? What specifically does -fstack-protector-strong protect?  Is it exactly the same definition as in GCC?

Thanks!



On Thu, Apr 27, 2017 at 4:14 PM, 陳韋任 <[hidden email]> wrote:

>
> Is this https://clang.llvm.org/docs/ClangCommandLineReference.html what you are looking at?
> Under the Clang source directory, `grep -r "stack-protector" docs/*` gives the following result:
>
>   docs/ClangCommandLineReference.rst:.. option:: -fstack-protector, -fno-stack-protector
>   docs/ClangCommandLineReference.rst:.. option:: -fstack-protector-all
>   docs/ClangCommandLineReference.rst:.. option:: -fstack-protector-strong
>   docs/DiagnosticsReference.rst:-Wstack-protector
>
> Or you can goole with "stack protector site:http://lists.llvm.org/pipermail/cfe-dev/" to find something
> on the cfe-dev mailing list. I think that's all you can find.
>
> Regards,
> chenwj
>
>
> 2017-04-28 1:20 GMT+08:00 Yaron Shragai via cfe-dev <[hidden email]>:
>>
>> Hello,
>>
>> I see documentation out there for the levels of stack-protector in GCC: Regular protects functions that have buffers or that use alloca(), all protects all functions, strong protects functions with the conditions listed in para 3 in this doc: https://docs.google.com/document/d/1xXBH6rRZue4f296vGt9YQcuLVQHeE516stHwt8M9xyU/editAlso, in GCC, stack-protector puts variables below buffers on the stack (i.e., higher up the stack).
>>
>> I'm having trouble finding similar documentation for Clang. (Even if it's just an official statement that "Clang does the same thing as GCC.")
>>
>> Thanks!
>>
>>
>>
>> _______________________________________________
>> cfe-dev mailing list
>> [hidden email]
>> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>>
>
>
>
> --
> Wei-Ren Chen (陳韋任)
> Homepage: https://people.cs.nctu.edu.tw/~chenwj

_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: What do the different stack-protector levels protect in Clang?

Lang Hames via cfe-dev
Yes, clang's implementation of stack protection is based on the same spec as GCC.

-fstack-protector: Emits stack smashing protectors in the form of
a “canary” — a random value placed on the stack before the local
variables that’s checked upon return from the function to see if it has
been overwritten. A heuristic is used to determine if a function needs
stack protectors or not. The heuristic used will enable protectors for
functions with:
  * Character arrays larger than ssp-buffer-size (default 8).
  * Aggregates containing character arrays larger than ssp-buffer-size.
  * Calls to alloca() with variable sizes or constant sizes greater than ssp-buffer-size.

Variables that are identified as requiring a protector will be
arranged on the stack such that they are adjacent to the stack
protector guard.

-fstack-protector-strong: This uses a strong heuristic when determining
if a function needs stack protectors. The strong heuristic will enable
protectors for functions with:
  * Arrays of any size and type
  * Aggregates containing an array of any size and type.
  * Calls to alloca().
  * Local variables that have had their address taken.

Variables that are identified as requiring a protector will be arranged
on the stack such that they are adjacent to the stack protector guard.
The specific layout rules are:
  * Large arrays and structures containing large arrays (>=
    ssp-buffer-size) are closest to the stack protector.
  * Small arrays and structures containing small arrays (<
    ssp-buffer-size) are 2nd closest to the protector.
  * Variables that have had their address taken are 3rd closest to the protector.

-fstack-protector-all:  Every function will have a stack smashing protector.
Variable layout rules follow the same as -fstack-protector-strong.


Clang doesn't have especially detailed documentation for these options
at the moment, that would be a nice contribution to the user manual.
LLVM has documentation for the IR attributes that correspond to each
level.  It is probably too low level for the casual users, but the
descriptions do provide a decent summary of the heuristic at each ssp
level (which I paraphrased above):
http://llvm.org/docs/LangRef.html#function-attributes


HTH,
 - Josh


At 1493344174 seconds past the Epoch, Yaron Shragai via cfe-dev wrote:

> A typo in my OP broke the link to the document on Google Docs.  Here is the
> link:
> https://docs.google.com/document/d/1xXBH6rRZue4f296vGt9YQcuLVQHeE
> 516stHwt8M9xyU/edit
>
> Here is more specifically what I am looking for:
> In GCC, it is published that the stack protector option levels do the
> following things (this is in the linked document):
> -fno-stack-protector: No protection.
> -fstack-protector: Protection for functions in which either of the
> following is true:
>    * The function uses alloca
>    * There is a char array that is bigger than 8 bytes (actually, bigger
> than whatever SSP_BUFFER_SIZE is)
> -fstack-protector-all: Protection for all functions - no heuristic.
> -fstack-protector-strong: Protection for functions in which any of the
> following is true:
>    * Any the address of any local variable used in the RHS of an assignment
>    * Any local variable is passed by reference to a function
>    * There is *any* array, regardless of array type or length
>    * There is a struct/union containing an array
>    * There are register local variables
>
> (Also, the stack data is rearranged such that variables are at lower
> addresses than buffers.)
>
> What about on Clang? What specifically does -fstack-protector protect? What
> specifically does -fstack-protector-strong protect?  Is it exactly the same
> definition as in GCC?
>
> Thanks!
>
>
>
> On Thu, Apr 27, 2017 at 4:14 PM, 陳韋任 <[hidden email]> wrote:
> >
> > Is this https://clang.llvm.org/docs/ClangCommandLineReference.html what
> you are looking at?
> > Under the Clang source directory, `grep -r "stack-protector" docs/*`
> gives the following result:
> >
> >   docs/ClangCommandLineReference.rst:.. option:: -fstack-protector,
> -fno-stack-protector
> >   docs/ClangCommandLineReference.rst:.. option:: -fstack-protector-all
> >   docs/ClangCommandLineReference.rst:.. option:: -fstack-protector-strong
> >   docs/DiagnosticsReference.rst:-Wstack-protector
> >
> > Or you can goole with "stack protector site:http://lists.llvm.org/
> pipermail/cfe-dev/" to find something
> > on the cfe-dev mailing list. I think that's all you can find.
> >
> > Regards,
> > chenwj
> >
> >
> > 2017-04-28 1:20 GMT+08:00 Yaron Shragai via cfe-dev <
> [hidden email]>:
> >>
> >> Hello,
> >>
> >> I see documentation out there for the levels of stack-protector in GCC:
> Regular protects functions that have buffers or that use alloca(), all
> protects all functions, strong protects functions with the conditions
> listed in para 3 in this doc: https://docs.google.com/document/d/
> 1xXBH6rRZue4f296vGt9YQcuLVQHeE516stHwt8M9xyU/editAlso, in GCC,
> stack-protector puts variables below buffers on the stack (i.e., higher up
> the stack).
> >>
> >> I'm having trouble finding similar documentation for Clang. (Even if
> it's just an official statement that "Clang does the same thing as GCC.")
> >>
> >> Thanks!
> >>
> >>
> >>
> >> _______________________________________________
> >> cfe-dev mailing list
> >> [hidden email]
> >> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
> >>
> >
> >
> >
> > --
> > Wei-Ren Chen (陳韋任)
> > Homepage: https://people.cs.nctu.edu.tw/~chenwj

> _______________________________________________
> cfe-dev mailing list
> [hidden email]
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Loading...