On 7/9/24 7:12 AM, Christoph Müllner wrote:
On Tue, Jul 9, 2024 at 3:01 PM Kito Cheng <kito.ch...@sifive.com> wrote:

IIRC Jeff mentions that it may introduce buffer overflow if the input
string is long enough.

The manpage states:
   If the allocation causes stack overflow, program behavior is undefined.

This was considered reasonable for AArch64:
https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=gcc/config/aarch64/aarch64.cc;h=7f0cc47d0f071de9297068baa85c6d5fc4d7fa5b;hb=HEAD#l19408
So, my assumption was that it should be fine for RISC-V as well.
However, I won't insist on this patch.
The key question is whether or not the length can potentially be attacker controlled. If so, then alloca is highly unsafe. An attacker can arrange to alloca a much larger region, with the goal of shifting the stack into the heap, or performing an under allocation due to integer overflow+wrapping.

There's additional problems with alloca, but they're largely mitigated by stack clash which is typically on at the distro level, thankfully.

My position is unless there is a highly compelling reason, we should just avoid alloca. And compelling reasons are few and far between.


Jeff

Reply via email to