LLVM supports SafeStack instrumentation to protect against stack buffer overflows, since version 3.7
>From https://clang.llvm.org/docs/SafeStack.html: "It works by separating the program stack into two distinct regions: the safe stack and the unsafe stack. The safe stack stores return addresses, register spills, and local variables that are always accessed in a safe way, while the unsafe stack stores everything else. This separation ensures that buffer overflows on the unsafe stack cannot be used to overwrite anything on the safe stack." Unfortunately, the use of two stack regions does not cope well with QEMU's coroutines. The second stack region is not properly set up with both ucontext and sigaltstack, so multiple coroutines end up sharing the same memory area for the unsafe stack, causing undefined behaviors at runtime (and most iochecks to fail). This patch series fixes the implementation of the ucontext backend and make sure that sigaltstack is never used if the compiler is applying the SafeStack instrumentation. It also adds a configure flag to enable SafeStack, and enables iotests when SafeStack is used. This is an RFC mainly because of the low-level use of the SafeStack runtime. When running swapcontext(), we have to manually set the unsafe stack pointer to the new area allocated for the coroutine. LLVM does not allow this by using builtin, so we have to use implementation details that may change in the future. This patch has been tested briefly ( make check on an x86 system ) with clang v3.9, v4.0, v5.0, v6.0 Heavier testing, with make check-acceptance has been performed with clang v7.0 Daniele Buono (4): coroutine: support SafeStack in ucontext backend coroutine: Add check for SafeStack in sigalstack configure: add flag to enable SafeStack check-block: Enable iotests with SafeStack configure | 29 +++++++++++++++++++++++++++++ include/qemu/coroutine_int.h | 6 ++++++ tests/check-block.sh | 12 +++++++++++- util/coroutine-sigaltstack.c | 4 ++++ util/coroutine-ucontext.c | 25 +++++++++++++++++++++++++ 5 files changed, 75 insertions(+), 1 deletion(-) -- 2.26.2
