Subject: Re: ssp and gcc-4.1
To: None <>
From: Jason Thorpe <>
List: tech-userlevel
Date: 11/07/2006 10:19:14
On Nov 7, 2006, at 10:16 AM, Thor Lancelot Simon wrote:

> On Tue, Nov 07, 2006 at 10:09:53AM -0800, Jason Thorpe wrote:
>> Now, one would think that __builtin_alloca() would be OK with ssp --
>> after all, the compiler provides both, right?
> I thought this, too.  But I was wrong: the way SSP works, it has to  
> know
> the maximum stack size before entry to each new function (creation of
> each new stack frame) or it can't know where to place the "canary".
> As Christos pointed out to me elsewhere, we can't really provide an
> interface by which alloca() can move the canary and inform the parent,
> because exploit code could use that interface, too.  :-/

Uh, even without an interface to do it, exploit code could certainly  
move the canary anyway, right?

-- thorpej