Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stack overflow soundness #11

Closed
tarcieri opened this issue Jan 16, 2020 · 1 comment · Fixed by #12
Closed

Stack overflow soundness #11

tarcieri opened this issue Jan 16, 2020 · 1 comment · Fixed by #12

Comments

@tarcieri
Copy link
Contributor

It would be nice to have some sound way of handling stack overflow. This is presently an unsolved upstream problem for non-x86/x86_64 platforms:

rust-lang/rust#43241

It seems like the best solution is to implement stack probes for ARM in upstream Rust.
@japaric
Copy link
Collaborator

japaric commented Jan 17, 2020

We should be able to address this without runtime checks by flipping the layout of the program memory as explained in this blog post. Under the hood this requires running the linker twice but from the point of the view of the application author they only have install a linker wrapper and use that linker instead of rustc's lld. We can set the linker wrapper as the default linker in the application template and even make the linking of applications fail if they don't use that specific linker wrapper.

With that in place stack overflows will make one of the exception handlers (DataAbort I think) run. That exeception handler should not use the main stack itself or that will result in infinite recursion. Though we can also reserve some small amount of memory for that specific exception handler. In any case, this exception handler should not be fully customizable (that'd be too error prone since it runs in environment with zero or very little memory available for the stack) but instead you should only be able to pick among some sane options like ... reset the SoC, I guess. There aren't too many things you can do if you exhausted the memory dedicated to the stack.

japaric added a commit that referenced this issue Jan 17, 2020
@japaric
add stack overflow protection
7e59c1e 
linking now must be done using the `flip-lld` linker wrapper (this is the
default for all the examples). This linker wrapper flips the standard memory
layout of programs so that the stack cannot overwrite unrelated memory when it
grows in an unbounded fashion. More details can be found in the blog post:
https://blog.japaric.io/stack-overflow-protection/

Stack overflows will now trigger a "data abort" (hardware) exception when memory
is exhausted. The handler for this exception will print a message to the
console (using the `Serial` API) and then reboot the SoC. An example has been
added to demo this behavior.

closes #11
@japaric japaric mentioned this issue Jan 17, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add stack overflow protection iqlusioninc/usbarmory.rs
2 participants
@tarcieri @japaric