[Toybox] imgtec patch: Fix static linkage of toybox binary.

enh enh at google.com
Mon May 9 22:28:31 PDT 2016


On Mon, May 9, 2016 at 8:45 PM, Rob Landley <rob at landley.net> wrote:
> On 05/09/2016 04:43 PM, Evgenii Stepanov wrote:
>> Now, if we want to really preserve this check logic under safestack,
>> we will have to do something safestack-specific. There is no way to
>> keep pretending that there is a single, continuous stack region and
>> still get realistic results.
>
> If you can hide it in lib/platform.h and lib/platform.c, go for it.

(well, we don't need this... the "don't do the arithmetic if you're
NORECURSE" patch https://android-review.googlesource.com/#/c/223875/
is better for us.)

>> 1. Use __builtin_frame_pointer and __builtin___get_unsafe_stack_ptr().
>> They are supported whenever safestack is supported and can be
>> protected with simple preprocessor guards.
>> 2. Rely on safestack semantics to know which of the two stacks a
>> variable gets allocated on. This is embedding some knowledge about
>> safestack implementation (not just the ABI) into the application, but
>> it relies on the fundamental security promise of safestack and very
>> unlikely to change. For example, this line in my original patch:
>>   intptr_t volatile stackaddr = (intptr_t)&which;
>> leaks the address of "which" into a volatile location. Such variables
>> are guaranteed to be allocated on the "unsafe" stack.
>
> It's the _amount_ of stack I'm looking for. And the really vulnerable
> systems are the nommu ones that only have 64k of stack, but which also
> make exec more expensive..

his point is that with SafeStack you have two separate stacks (and the
unsafe stack is probably more interesting for your heuristic, because
it's where arrays would go).

>> (2) does not seem to have any advantage over (1). Would (1) be acceptable?
>
> Is __builtin_frame_pointer mentioned in C99? Is it portable to
> clang/llvm, and cfront/libfirm or if http://pcc.ludd.ltu.se/ revives or
> http://landley.net/qcc happens...?
>
> If not, lib/portability.* is the place #ifdef THINGY && THINGY code
> blocks for envrionment-specific stuff.

i think YAGNI... anyone running SafeStack is probably LP64 and
probably better off just using NORECURSE (with the small fix to not
maintain toys.stacktop).

> Rob



-- 
Elliott Hughes - http://who/enh - http://jessies.org/~enh/
Android native code/tools questions? Mail me/drop by/add me as a reviewer.


More information about the Toybox mailing list