This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: why Glibc does not build with clang?
- From: Florian Weimer <fweimer at redhat dot com>
- To: Will Newton <will dot newton at linaro dot org>
- Cc: Konstantin Serebryany <konstantin dot s dot serebryany at gmail dot com>, GNU C Library <libc-alpha at sourceware dot org>
- Date: Fri, 16 May 2014 14:44:22 +0200
- Subject: Re: why Glibc does not build with clang?
- Authentication-results: sourceware.org; auth=none
- References: <CAGQ9bdw135gBO+cTQx3Ws1GrRgFsi8-j=Y_mZ=ixebpPzB4gXw at mail dot gmail dot com> <53760025 dot 10204 at redhat dot com> <CANu=DmhF=PZBVHtOPw5ZMCHjcy6vqdCvrRvY+xO9hzfkjTCRQA at mail dot gmail dot com>
On 05/16/2014 02:37 PM, Will Newton wrote:
I'm curious as to why you want to get rid of alloca?
There's no explicit checking if the stack has room for the requested
size. It is not always clear if the implied length check through the
explicit guard page prevents deliberate misuse of such alloca failures
for nefarious purposes. So we risk having crashes (already quite bad)
and often cannot rule out any further security impact beyond the crash
(worse).
Same thing applies to VLAs on the stack, obviously.
GCC could provide fairly cheap instrumentation (both in terms of code
size and execution speed) that turns alloca failures (and too-large
VLas) into reliable crashes, but that GCC feature is currently somewhat
broken and not usable at all.
--
Florian Weimer / Red Hat Product Security Team