Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tracking Issue for stabilizing stack smashing protection (i.e., -Z stack-protector) #114903

Open
rcvalle opened this issue Aug 16, 2023 · 9 comments
Assignees
Labels
C-tracking-issue Category: An issue tracking the progress of sth. like the implementation of an RFC PG-exploit-mitigations Project group: Exploit mitigations

Comments

@rcvalle
Copy link
Member

rcvalle commented Aug 16, 2023

This is a tracking issue for stabilizing stack smashing protection (i.e., -Z stack-protector). The was added in #84197 without a tracking issue. There is also no feature gate for it.

As part of the work on reviewing previously-added support for exploit mitigations to the Rust compiler (see https://hackmd.io/@rcvalle/H1epy5Xqn), @luismerino and I, and also @wesleywiser reviewed the stack smashing protection option (i.e., -Z stack-protector) implementation and it looked good for stabilization, so we'd like to propose stabilizing it.

Steps

TBD.

Unresolved Questions

Is there any concern or anything that the community would like to see implemented before its stabilization?

Implementation history

@rcvalle rcvalle added the C-tracking-issue Category: An issue tracking the progress of sth. like the implementation of an RFC label Aug 16, 2023
@rcvalle rcvalle self-assigned this Aug 16, 2023
@rcvalle rcvalle added the PG-exploit-mitigations Project group: Exploit mitigations label Aug 16, 2023
@rcvalle rcvalle changed the title Tracking Issue for stabilizing stack smashing protection (i.e., -C stack-protector) Tracking Issue for stabilizing stack smashing protection (i.e., -Z stack-protector) Aug 17, 2023
@nikic
Copy link
Contributor

nikic commented Oct 13, 2023

Concern: The heuristics for -Z stack-protector=strong and -Z stack-protector=basic do not work in any sensible manner for LLVM IR produced by rustc. If we want to stabilize these options, they need to be re-implemented in a completely different way that is based on annotations provided by the front-end, rather than (policy-violating) IR type analysis in the backend.

I believe the only option that has well-defined semantics for rust is -Z stack-protector=all.

@rcvalle
Copy link
Member Author

rcvalle commented Oct 16, 2023

Hey @nikic! Thanks for bringing this up! Do you have any examples of this? Are you referring to any of the cases listed at https://github.com/rust-lang/rust/blob/master/tests/assembly/stack-protector/stack-protector-heuristics-effect.rs (e.g., array_char, local_string_addr_taken, or the alloca cases)?

@nikic
Copy link
Contributor

nikic commented Oct 17, 2023

@rcvalle If you look at the history of the file, you will see that the behavior changes occasionally. This is an artifact of exposing compiler implementation details and should not happen.

You can find the implementation of these heuristics here: https://github.com/llvm/llvm-project/blob/52db7e27458f774fa0c6c6a864ce197fa071a230/llvm/lib/CodeGen/StackProtector.cpp#L125

The type argument is the alloca type, which should generally only be inspected for size and alignment. There are at least two ways in which this can go wrong:

  • Structs may include [n x iM] as padding to satisfy alignment requirements. This may end up triggering array heuristics where no actual arrays are involved.
  • Arrays in Rust are often wrapped in structs like { [n x %T] }, which affects heuristics.

There are long-term plans to always emit [n x i8] types to insulate us from (precisely this kind of) LLVM stupidity, and that should not have an effect on heuristics.

@daira
Copy link
Contributor

daira commented Jan 29, 2024

What's the current progress? Re: @nikic 's comment, can/should -Z stack-protector=all be stabilized on its own for now?

@rcvalle
Copy link
Member Author

rcvalle commented Mar 13, 2024

What's the current progress? Re: @nikic 's comment, can/should -Z stack-protector=all be stabilized on its own for now?

Sorry for the late reply. I'm planning to resume working on this soon. In the meantime, @davidtwco is working on stabilizing -Z stack-protector=all so we might get it stabilized before then.

@marmeladema
Copy link
Contributor

I just saw in the stabilization PR that people are asking for use cases and I wonder if the issue I am facing is a good one.

I am running rust code as a shared library in a (big) C process with lots of other deps etc but it happens that I get crashes in a "pure" rust thread from time to time and I haven't been able to find a root cause for now.
And in some cases, the stack is completely trashed and I was thinking that maybe enabling stack-protection would crash the process sooner, maybe at a point which would help me understand the problem better.

At least that's something I would have wanted to try to see if it helps at all and that's how I ended up here :)
Is this a valid use case?

cc @nikic @davidtwco

@lxy19980601
Copy link
Contributor

Concern: The heuristics for -Z stack-protector=strong and -Z stack-protector=basic do not work in any sensible manner for LLVM IR produced by rustc. If we want to stabilize these options, they need to be re-implemented in a completely different way that is based on annotations provided by the front-end, rather than (policy-violating) IR type analysis in the backend.

I believe the only option that has well-defined semantics for rust is -Z stack-protector=all.

Is there any cases showing -Z stack-protector=strong and -Z stack-protector=basic do not work` ? And are there any plans to re-implement these two options?

@nikic
Copy link
Contributor

nikic commented Sep 12, 2024

@marmeladema So ... did you actually try it, using a nightly compiler or RUSTC_BOOTSTRAP=1? I'd say that that is definitely not an intended use case for the feature (your use case seems more like a case for -Z sanitizer=address), but it would still be good to know it would actually help find the issue or not.

@the8472
Copy link
Member

the8472 commented Nov 11, 2024

Doesn't this require -Zbuild-std anyway to get full coverage?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
C-tracking-issue Category: An issue tracking the progress of sth. like the implementation of an RFC PG-exploit-mitigations Project group: Exploit mitigations
Projects
None yet
Development

No branches or pull requests

6 participants