Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sess: stabilize -C stack-protector=all #121742

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

davidtwco
Copy link
Member

cc #114903
r? @nikic

@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. labels Feb 28, 2024
@davidtwco
Copy link
Member Author

davidtwco commented Feb 28, 2024

Stabilization report

Stack smashing protection is a codegen option (just enabling this support in LLVM). It inserts stack canaries into functions to detect when stack smashing occurs. Stack canaries are random guard values, which are checked for changes when returning.

Stack smashing has been implemented since 2021 and hasn't seen any significant changes since then. Only the all option for this flag is stabilized as the basic and strong options rely on LLVM heuristics which are unsuitable for Rust. There are a handful of examples of users requesting this stabilisation (#114903 (comment), #84197 (comment)).

Tests

History

Unresolved questions

  • This pull request only stabilizes -Zstack-protector=all as -Cstack-protector=all, and does not stabilize -Zstack-protector=basic or -Zstack-protector=strong as these options rely on LLVM heuristics which are not suitable for Rust - we should check that -Zstack-protector=all is definitely okay.

@rust-log-analyzer

This comment has been minimized.

@rust-log-analyzer

This comment has been minimized.

@nikic
Copy link
Contributor

nikic commented Mar 4, 2024

Stabilizing -C stack-protector=all should be fine. It still uses some potentially dubious heuristics for the frame layout, but we don't make specific guarantees about that.

That said, I find this stabilization somewhat dangerous due to the potential "security theater" it can enable. The value of stack protectors in Rust is much more tenuous than in C, and there is a danger that people will follow the logic "I use -fstack-protector for my C code, so I should enable stack protectors in Rust as well -- but it only supports -C stack-protector=all, so I guess I'll just have to use that!" and arrive at a very unfortunate end result.

@davidtwco davidtwco force-pushed the stabilize-stack-protector-all branch from 74a3ec1 to 5a36e35 Compare March 4, 2024 10:56
@davidtwco
Copy link
Member Author

That said, I find this stabilization somewhat dangerous due to the potential "security theater" it can enable. The value of stack protectors in Rust is much more tenuous than in C, and there is a danger that people will follow the logic "I use -fstack-protector for my C code, so I should enable stack protectors in Rust as well -- but it only supports -C stack-protector=all, so I guess I'll just have to use that!" and arrive at a very unfortunate end result.

I agree that this is a risk. I don't think that we should keep this unstable just because of a risk like this though, if this option is useful and appropriate for some users, then we allow it to be used on stable (absent other concerns). If this option is never useful or appropriate, then we should just remove it altogether, even on nightly.

If there is additional context I could add to the documentation for this option about when it is appropriate and when it is not, then I'd be happy to add that.

@nikic
Copy link
Contributor

nikic commented Mar 4, 2024

That said, I find this stabilization somewhat dangerous due to the potential "security theater" it can enable. The value of stack protectors in Rust is much more tenuous than in C, and there is a danger that people will follow the logic "I use -fstack-protector for my C code, so I should enable stack protectors in Rust as well -- but it only supports -C stack-protector=all, so I guess I'll just have to use that!" and arrive at a very unfortunate end result.

I agree that this is a risk. I don't think that we should keep this unstable just because of a risk like this though, if this option is useful and appropriate for some users, then we allow it to be used on stable (absent other concerns). If this option is never useful or appropriate, then we should just remove it altogether, even on nightly.

If there is additional context I could add to the documentation for this option about when it is appropriate and when it is not, then I'd be happy to add that.

Generally agree. Would love to hear from some people who are interested in using -C stack-protector=all to get a better idea on what the actual use case here is.

@bors

This comment was marked as resolved.

@davidtwco davidtwco force-pushed the stabilize-stack-protector-all branch from 5a36e35 to 1a07748 Compare March 11, 2024 10:23
@bors

This comment was marked as resolved.

@davidtwco davidtwco force-pushed the stabilize-stack-protector-all branch from 1a07748 to 0265cec Compare March 18, 2024 13:23
@rustbot rustbot added the PG-exploit-mitigations Project group: Exploit mitigations label Mar 18, 2024
@rustbot
Copy link
Collaborator

rustbot commented Mar 18, 2024

Some changes occurred in src/doc/rustc/src/exploit-mitigations.md

cc @rust-lang/project-exploit-mitigations, @rcvalle

Some changes occurred in tests/codegen/stack-protector.rs

cc @rust-lang/project-exploit-mitigations, @rcvalle

Some changes occurred in tests/ui/stack-protector

cc @rust-lang/project-exploit-mitigations, @rcvalle

@bors

This comment was marked as resolved.

@davidtwco davidtwco force-pushed the stabilize-stack-protector-all branch from 0265cec to 5cfa279 Compare April 8, 2024 10:49
@bors

This comment was marked as resolved.

@davidtwco davidtwco force-pushed the stabilize-stack-protector-all branch from 5cfa279 to c4eaf05 Compare April 16, 2024 12:24
@davidtwco
Copy link
Member Author

Generally agree. Would love to hear from some people who are interested in using -C stack-protector=all to get a better idea on what the actual use case here is.

See #114903 (comment)

@apiraino
Copy link
Contributor

hey 👋 what are the next steps for this PR? do you need feedback from @nikic ? I saw a mention for @rcvalle either.

thanks

@bors

This comment was marked as resolved.

@davidtwco davidtwco force-pushed the stabilize-stack-protector-all branch from c4eaf05 to a67ab4a Compare June 24, 2024 13:03
@davidtwco
Copy link
Member Author

I think this is just waiting until we've decided we've gotten enough feedback from users on whether this would be worth it (like this comment).

@bors

This comment was marked as resolved.

@davidtwco davidtwco force-pushed the stabilize-stack-protector-all branch from a67ab4a to 7984036 Compare August 6, 2024 14:26
@bors

This comment was marked as resolved.

@davidtwco davidtwco force-pushed the stabilize-stack-protector-all branch from 7984036 to 51d97e3 Compare October 22, 2024 12:27
@bors

This comment was marked as resolved.

@davidtwco davidtwco force-pushed the stabilize-stack-protector-all branch from 51d97e3 to 875a2a0 Compare November 6, 2024 13:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
PG-exploit-mitigations Project group: Exploit mitigations S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants