Re: Compiler alternatives to no-exec (was Re: non exec stack...)

Alexander Kjeldaas (astor@guardian.no)
Tue, 11 Aug 1998 18:41:56 +0200


On Fri, Aug 07, 1998 at 06:20:07AM +0000, Linus Torvalds wrote:
>
> There's an even simpler fix, with the compiler just pushing 0 on entry
> to all functions, and on exit it pops it off and aborts if it is
> non-zero.
>
> If somebody is using a overlong string, it cannot contain an all-zero
> value in the middle, so nobody can use the standard string overflow
> trick.
>
> Zero also happens to be very cheap to test against. Total overhead: four
> instructions per function
>
> + pushl $0
> ...
> + popl %ecx
> + testl %ecx,%ecx
> + jne abort
> ret
>
> However, the proper fix is still to get rid of the buffer overflow. The
> above has the advantage that you can actually debug it fairly easily.
>

I have a preliminary implementation of this for egcs 1.03a. I tested
the overhead on gzip - it looks pretty good. I use the following
pattern which ensures that the branch is predicted non-taken:

pushl $0
...
popl %edx
testl %edx,%edx
jne .L2
ret
.L2:
call abort

-rwxr-xr-x 3 root root 74352 Aug 11 18:18 gzip
-rwxr-xr-x 1 root root 75660 Aug 11 18:15 gzip-stack
# strip'em
-rwxr-xr-x 3 root root 48200 Aug 11 18:37 gzip
-rwxr-xr-x 1 root root 49528 Aug 11 18:37 gzip-stack
# time ./gzip-stack -9 pre-patch-2.1.109-2
real 0m1.926s
user 0m1.890s
sys 0m0.040s
# time ./gzip -9 pre-patch-2.1.109-2
real 0m1.920s
user 0m1.880s
sys 0m0.040s

Size overhead after strip is around 2-3%
Run-time overhead is around 1%

astor

-- 
 Alexander Kjeldaas, Guardian Networks AS, Trondheim, Norway
 http://www.guardian.no/

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html