On Nov 7, 2006, at 10:16 AM, Thor Lancelot Simon wrote:

> On Tue, Nov 07, 2006 at 10:09:53AM -0800, Jason Thorpe wrote:
>>
>> Now, one would think that __builtin_alloca() would be OK with ssp --
>> after all, the compiler provides both, right?
>
> I thought this, too.  But I was wrong: the way SSP works, it has to  
> know
> the maximum stack size before entry to each new function (creation of
> each new stack frame) or it can't know where to place the "canary".
>
> As Christos pointed out to me elsewhere, we can't really provide an
> interface by which alloca() can move the canary and inform the parent,
> because exploit code could use that interface, too.  :-/

Uh, even without an interface to do it, exploit code could certainly  
move the canary anyway, right?

-- thorpej