From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail4-relais-sop.national.inria.fr (mail4-relais-sop.national.inria.fr [192.134.164.105]) by yquem.inria.fr (Postfix) with ESMTP id AA487BBAF for ; Sun, 11 Jul 2010 13:03:01 +0200 (CEST) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgADAEpBOUzZSMDqkWdsb2JhbACgPxUBAQEBBw0KBxEDH7tZhScE X-IronPort-AV: E=Sophos;i="4.55,182,1278280800"; d="scan'208";a="66178858" Received: from fmmailgate03.web.de ([217.72.192.234]) by mail4-smtp-sop.national.inria.fr with ESMTP; 11 Jul 2010 13:03:01 +0200 Received: from smtp02.web.de ( [172.20.0.184]) by fmmailgate03.web.de (Postfix) with ESMTP id A5FA315AE635A; Sun, 11 Jul 2010 13:03:00 +0200 (CEST) Received: from [78.43.204.177] (helo=frosties.localdomain) by smtp02.web.de with asmtp (TLSv1:AES256-SHA:256) (WEB.DE 4.110 #4) id 1OXuJI-0001wQ-00; Sun, 11 Jul 2010 13:03:00 +0200 Received: from mrvn by frosties.localdomain with local (Exim 4.72) (envelope-from ) id 1OXuJI-0004uj-42; Sun, 11 Jul 2010 13:03:00 +0200 From: Goswin von Brederlow To: Michael Ekstrand Cc: caml-list@inria.fr Subject: Re: [Caml-list] Native code stack overflow detection guarantees References: Date: Sun, 11 Jul 2010 13:03:00 +0200 In-Reply-To: (Michael Ekstrand's message of "Thu, 08 Jul 2010 20:59:30 -0400") Message-ID: <87mxtynuvv.fsf@frosties.localdomain> User-Agent: Gnus/5.110009 (No Gnus v0.9) XEmacs/21.4.22 (linux, no MULE) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: goswin-v-b@web.de X-Sender: goswin-v-b@web.de X-Provags-ID: V01U2FsdGVkX1/wZVivKPXSTanPqQ5UyKW5ILW755HU+hHQoCFA Gr4fawiCd02+nuH3ZK1VdDev4VRdUXZ2dooAOM/3HFeW6D/bbY wdGStF12g= X-Spam: no; 0.00; recursive:01 pointer:01 pointer:01 recursive:01 ocaml:01 varargs:01 segfault:01 havoc:98 mfg:98 overflows:01 overflows:01 stack:01 stack:01 exception:01 caml-list:01 Michael Ekstrand writes: > Some time ago, I saw someone mention non-tail-recursive functions in > native code as a security problem. Unfortunately, I cannot find where I > read that again, but the basic idea was that, if you have a recursive > function that uses stack linear in user-provided input, then the user > can trigger a stack overflow which, in native code, can allow your stack > pointer to go waltzing through memory and wreak general havoc since > stack overflows are not trapped. For that to happen you would have to get the stack pointer to overflow so far that it actualy points into an allocated memory region again. Stack frames usualy aren't that big and I'm pretty certain there will be some unallocated space around the stack to catch overflows. Isn't a stackframe for a recursive call in ocaml limited in size (<< PAGE_SIZE)? Unless you have some varargs in there. I don't see any security probem there other than DOS attacks. With an exception you could catch it and continue running while a segfault kills your program (usualy). So for native code you would have to inspect your input and check if it will stack overflow before calling the recursive function. Or just write the function tail recursive. MfG Goswin