Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sess: stabilize -C stack-protector=all #121742

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

sess: stabilize -C stack-protector=all #121742

wants to merge 1 commit into from

Conversation

davidtwco
Copy link
Member

cc #114903
r? @nikic

@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. labels Feb 28, 2024
@davidtwco
Copy link
Member Author

davidtwco commented Feb 28, 2024
edited

Stabilization report

Stack smashing protection is a codegen option (just enabling this support in LLVM). It inserts stack canaries into functions to detect when stack smashing occurs. Stack canaries are random guard values, which are checked for changes when returning.

Stack smashing has been implemented since 2021 and hasn't seen any significant changes since then. Only the all option for this flag is stabilized as the basic and strong options rely on LLVM heuristics which are unsuitable for Rust. There are a handful of examples of users requesting this stabilisation (#114903 (comment), #84197 (comment)).

Tests

History

Unresolved questions

  • This pull request only stabilizes -Zstack-protector=all as -Cstack-protector=all, and does not stabilize -Zstack-protector=basic or -Zstack-protector=strong as these options rely on LLVM heuristics which are not suitable for Rust - we should check that -Zstack-protector=all is definitely okay.

@rust-log-analyzer

This comment has been minimized.

Sign in to view
@erikdesjardins erikdesjardins mentioned this pull request Feb 28, 2024
Closed
@davidtwco davidtwco force-pushed the stabilize-stack-protector-all branch from 3f24544 to 74a3ec1 Compare March 4, 2024 10:29
@rust-log-analyzer

This comment has been minimized.

Sign in to view
@nikic
Copy link
Contributor

nikic commented Mar 4, 2024

Stabilizing -C stack-protector=all should be fine. It still uses some potentially dubious heuristics for the frame layout, but we don't make specific guarantees about that.

That said, I find this stabilization somewhat dangerous due to the potential "security theater" it can enable. The value of stack protectors in Rust is much more tenuous than in C, and there is a danger that people will follow the logic "I use -fstack-protector for my C code, so I should enable stack protectors in Rust as well -- but it only supports -C stack-protector=all, so I guess I'll just have to use that!" and arrive at a very unfortunate end result.

@davidtwco davidtwco force-pushed the stabilize-stack-protector-all branch from 74a3ec1 to 5a36e35 Compare March 4, 2024 10:56
@davidtwco
Copy link
Member Author

That said, I find this stabilization somewhat dangerous due to the potential "security theater" it can enable. The value of stack protectors in Rust is much more tenuous than in C, and there is a danger that people will follow the logic "I use -fstack-protector for my C code, so I should enable stack protectors in Rust as well -- but it only supports -C stack-protector=all, so I guess I'll just have to use that!" and arrive at a very unfortunate end result.

I agree that this is a risk. I don't think that we should keep this unstable just because of a risk like this though, if this option is useful and appropriate for some users, then we allow it to be used on stable (absent other concerns). If this option is never useful or appropriate, then we should just remove it altogether, even on nightly.

If there is additional context I could add to the documentation for this option about when it is appropriate and when it is not, then I'd be happy to add that.

@nikic
Copy link
Contributor

nikic commented Mar 4, 2024

That said, I find this stabilization somewhat dangerous due to the potential "security theater" it can enable. The value of stack protectors in Rust is much more tenuous than in C, and there is a danger that people will follow the logic "I use -fstack-protector for my C code, so I should enable stack protectors in Rust as well -- but it only supports -C stack-protector=all, so I guess I'll just have to use that!" and arrive at a very unfortunate end result.

I agree that this is a risk. I don't think that we should keep this unstable just because of a risk like this though, if this option is useful and appropriate for some users, then we allow it to be used on stable (absent other concerns). If this option is never useful or appropriate, then we should just remove it altogether, even on nightly.

If there is additional context I could add to the documentation for this option about when it is appropriate and when it is not, then I'd be happy to add that.

Generally agree. Would love to hear from some people who are interested in using -C stack-protector=all to get a better idea on what the actual use case here is.

@bors

This comment was marked as resolved.

Sign in to view
@davidtwco davidtwco force-pushed the stabilize-stack-protector-all branch from 5a36e35 to 1a07748 Compare March 11, 2024 10:23
@bors

This comment was marked as resolved.

Sign in to view
@davidtwco davidtwco force-pushed the stabilize-stack-protector-all branch from 1a07748 to 0265cec Compare March 18, 2024 13:23
@rustbot rustbot added the PG-exploit-mitigations Project group: Exploit mitigations label Mar 18, 2024
@rustbot
Copy link
Collaborator

rustbot commented Mar 18, 2024

Some changes occurred in src/doc/rustc/src/exploit-mitigations.md

cc @rust-lang/project-exploit-mitigations, @rcvalle

Some changes occurred in tests/codegen/stack-protector.rs

cc @rust-lang/project-exploit-mitigations, @rcvalle

Some changes occurred in tests/ui/stack-protector

cc @rust-lang/project-exploit-mitigations, @rcvalle

@bors

This comment was marked as resolved.

Sign in to view
@davidtwco davidtwco force-pushed the stabilize-stack-protector-all branch from 0265cec to 5cfa279 Compare April 8, 2024 10:49
@bors

This comment was marked as resolved.

Sign in to view
@davidtwco
sess: stabilize -C stack-protector=all
c4eaf05 
Signed-off-by: David Wood <david@davidtw.co>
@davidtwco davidtwco force-pushed the stabilize-stack-protector-all branch from 5cfa279 to c4eaf05 Compare April 16, 2024 12:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@nikic nikic

Labels
PG-exploit-mitigations Project group: Exploit mitigations S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@davidtwco @rust-log-analyzer @nikic @bors @rustbot