On 08/16/2016 10:44 AM, Jakub Jelinek wrote:
On Tue, Aug 16, 2016 at 10:27:58AM -0600, Jeff Law wrote:
I think you're being rather short-sighed here. GCC is being used in ways we
can't necessarily predict -- which might include compile servers, JITs, web
services, etc.
For compile server/web services one needs to add the protection outside of
gcc (sandboxing, containers, SELinux, limiting CPU and/or memory, etc.),
because even with very short testcases e.g. in C/C++ one can eat arbitrary
amounts of stack even without any uses of alloca in the compiler, simply
through deep recursion in the parsers etc.
Agreed. However, that doesn't mean we should not be locking down things
like alloca and other attack vectors.
The attack vector is so big that
trying to do something just about alloca is IMHO pointless, and we really
don't want to fight 20 gcc CVEs every day (1:1 with most bugreports).
Alloca is really useful in the compiler IMO, it is significantly faster than
heap allocation, and that is what matters in many places a lot.
You have to start somewhere and we have the tools and willingness of an
engineer to tackle part of this problem. Simply giving up because it's
not a total solution is absurd.
jeff
