[cfe-dev] What do the different stack-protector levels protect in Clang?

Joshua Magee via cfe-dev cfe-dev at lists.llvm.org
Thu Apr 27 18:03:15 PDT 2017 

Yes, clang's implementation of stack protection is based on the same spec as GCC.

-fstack-protector: Emits stack smashing protectors in the form of
a “canary” — a random value placed on the stack before the local
variables that’s checked upon return from the function to see if it has
been overwritten. A heuristic is used to determine if a function needs
stack protectors or not. The heuristic used will enable protectors for
functions with:
  * Character arrays larger than ssp-buffer-size (default 8).
  * Aggregates containing character arrays larger than ssp-buffer-size.
  * Calls to alloca() with variable sizes or constant sizes greater than ssp-buffer-size.

Variables that are identified as requiring a protector will be
arranged on the stack such that they are adjacent to the stack
protector guard.

-fstack-protector-strong: This uses a strong heuristic when determining
if a function needs stack protectors. The strong heuristic will enable
protectors for functions with:
  * Arrays of any size and type
  * Aggregates containing an array of any size and type.
  * Calls to alloca().
  * Local variables that have had their address taken.

Variables that are identified as requiring a protector will be arranged
on the stack such that they are adjacent to the stack protector guard.
The specific layout rules are:
  * Large arrays and structures containing large arrays (>=
    ssp-buffer-size) are closest to the stack protector.
  * Small arrays and structures containing small arrays (<
    ssp-buffer-size) are 2nd closest to the protector.
  * Variables that have had their address taken are 3rd closest to the protector.

-fstack-protector-all:  Every function will have a stack smashing protector.
Variable layout rules follow the same as -fstack-protector-strong.


Clang doesn't have especially detailed documentation for these options
at the moment, that would be a nice contribution to the user manual.
LLVM has documentation for the IR attributes that correspond to each
level.  It is probably too low level for the casual users, but the
descriptions do provide a decent summary of the heuristic at each ssp
level (which I paraphrased above):
http://llvm.org/docs/LangRef.html#function-attributes


HTH,
 - Josh


At 1493344174 seconds past the Epoch, Yaron Shragai via cfe-dev wrote:
> A typo in my OP broke the link to the document on Google Docs.  Here is the
> link:
> https://docs.google.com/document/d/1xXBH6rRZue4f296vGt9YQcuLVQHeE
> 516stHwt8M9xyU/edit
> 
> Here is more specifically what I am looking for:
> In GCC, it is published that the stack protector option levels do the
> following things (this is in the linked document):
> -fno-stack-protector: No protection.
> -fstack-protector: Protection for functions in which either of the
> following is true:
>    * The function uses alloca
>    * There is a char array that is bigger than 8 bytes (actually, bigger
> than whatever SSP_BUFFER_SIZE is)
> -fstack-protector-all: Protection for all functions - no heuristic.
> -fstack-protector-strong: Protection for functions in which any of the
> following is true:
>    * Any the address of any local variable used in the RHS of an assignment
>    * Any local variable is passed by reference to a function
>    * There is *any* array, regardless of array type or length
>    * There is a struct/union containing an array
>    * There are register local variables
> 
> (Also, the stack data is rearranged such that variables are at lower
> addresses than buffers.)
> 
> What about on Clang? What specifically does -fstack-protector protect? What
> specifically does -fstack-protector-strong protect?  Is it exactly the same
> definition as in GCC?
> 
> Thanks!
> 
> 
> 
> On Thu, Apr 27, 2017 at 4:14 PM, 陳韋任 <chenwj.cs97g at g2.nctu.edu.tw> wrote:
> >
> > Is this https://clang.llvm.org/docs/ClangCommandLineReference.html what
> you are looking at?
> > Under the Clang source directory, `grep -r "stack-protector" docs/*`
> gives the following result:
> >
> >   docs/ClangCommandLineReference.rst:.. option:: -fstack-protector,
> -fno-stack-protector
> >   docs/ClangCommandLineReference.rst:.. option:: -fstack-protector-all
> >   docs/ClangCommandLineReference.rst:.. option:: -fstack-protector-strong
> >   docs/DiagnosticsReference.rst:-Wstack-protector
> >
> > Or you can goole with "stack protector site:http://lists.llvm.org/
> pipermail/cfe-dev/" to find something
> > on the cfe-dev mailing list. I think that's all you can find.
> >
> > Regards,
> > chenwj
> >
> >
> > 2017-04-28 1:20 GMT+08:00 Yaron Shragai via cfe-dev <
> cfe-dev at lists.llvm.org>:
> >>
> >> Hello,
> >>
> >> I see documentation out there for the levels of stack-protector in GCC:
> Regular protects functions that have buffers or that use alloca(), all
> protects all functions, strong protects functions with the conditions
> listed in para 3 in this doc: https://docs.google.com/document/d/
> 1xXBH6rRZue4f296vGt9YQcuLVQHeE516stHwt8M9xyU/editAlso, in GCC,
> stack-protector puts variables below buffers on the stack (i.e., higher up
> the stack).
> >>
> >> I'm having trouble finding similar documentation for Clang. (Even if
> it's just an official statement that "Clang does the same thing as GCC.")
> >>
> >> Thanks!
> >>
> >>
> >>
> >> _______________________________________________
> >> cfe-dev mailing list
> >> cfe-dev at lists.llvm.org
> >> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
> >>
> >
> >
> >
> > --
> > Wei-Ren Chen (陳韋任)
> > Homepage: https://people.cs.nctu.edu.tw/~chenwj

> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

More information about the cfe-dev mailing list