Subject: Re: ssp and gcc-4.1
To: None <firstname.lastname@example.org>
From: Jason Thorpe <email@example.com>
Date: 11/07/2006 10:19:14
On Nov 7, 2006, at 10:16 AM, Thor Lancelot Simon wrote:
> On Tue, Nov 07, 2006 at 10:09:53AM -0800, Jason Thorpe wrote:
>> Now, one would think that __builtin_alloca() would be OK with ssp --
>> after all, the compiler provides both, right?
> I thought this, too. But I was wrong: the way SSP works, it has to
> the maximum stack size before entry to each new function (creation of
> each new stack frame) or it can't know where to place the "canary".
> As Christos pointed out to me elsewhere, we can't really provide an
> interface by which alloca() can move the canary and inform the parent,
> because exploit code could use that interface, too. :-/
Uh, even without an interface to do it, exploit code could certainly
move the canary anyway, right?