VLAs and security

From: Uecker, Martin
Date: Sun Sep 02 2018 - 04:14:23 EST

Next message: Fengguang Wu: "Re: [RFC][PATCH 0/5] introduce /proc/PID/idle_bitmap"
Previous message: Balbir Singh: "Re: [RFC PATCH v3 00/24] Control Flow Enforcement: Shadow Stack"
Next in thread: Kees Cook: "Re: VLAs and security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I do not agree that VLAs are generally bad for security.
I think the opposite is true. A VLA with the right size
allows the compiler to automatically perform or insert
meaningful bounds checks, while a fixed upper bound does not.

For example:

char buf[N];
buf[n] = 1;

Here, a compiler / analysis tool can for n < N using
static analysis or insert a run-time check.

Replacing this with

char buf[MAX_SIZE]

hides the information about the true upper bound
from automatic tools.

Limiting the stack usage can also be achieved in
the following way:

assert(N <= MAX_SIZE)
char buf[N];

Of course, having predictable stack usage might be moreÂ
important in the kernel and might be a good argument
to still prefer the constant bound.

But loosing the tighter bounds is clearly a disadvantage
with respect to security that one should keep it mind.

Best,
Martin

Next message: Fengguang Wu: "Re: [RFC][PATCH 0/5] introduce /proc/PID/idle_bitmap"
Previous message: Balbir Singh: "Re: [RFC PATCH v3 00/24] Control Flow Enforcement: Shadow Stack"
Next in thread: Kees Cook: "Re: VLAs and security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]