rust-lang
diff --git a/‎src/doc/rustc/src/exploit-mitigations.md
Lines changed: 46 additions & 48 deletions b/‎src/doc/rustc/src/exploit-mitigations.md
Lines changed: 46 additions & 48 deletions
diff --git a/‎src/doc/rustc/src/images/image1.png
146 KB b/‎src/doc/rustc/src/images/image1.png
146 KB
diff --git a/‎src/doc/rustc/src/images/image2.png
124 KB b/‎src/doc/rustc/src/images/image2.png
124 KB
diff --git a/‎src/doc/rustc/src/images/image3.png
867 Bytes b/‎src/doc/rustc/src/images/image3.png
867 Bytes
@@ -199,30 +199,33 @@ when attempting to read from the guard page/region. This is also referred to as
 The Rust compiler supports stack clashing protection via stack probing, and
 enables it by default since version 1.20.0 (2017-08-31)[26]–[29].
 
-![Screenshot of IDA Pro listing cross references to __rust_probestack in hello-rust.](images/image1.png "Cross references to __rust_probestack in hello-rust.")
-Fig. 6. IDA Pro listing cross references to `__rust_probestack` in hello-rust.
-
 ```rust
-fn hello() {
-    println!("Hello, world!");
+fn main() {
+    let v: [u8; 16384] = [1; 16384];
+    let first = &v[0];
+    println!("The first element is: {first}");
 }
+```
+Fig. 6. hello-rust-stack-probe-1 program.
 
+![Screenshot of IDA Pro listing the "unrolled loop" stack probe variant in modified hello-rust.](images/image1.png "The \"unrolled loop\" stack probe variant in modified hello-rust.")
+Fig. 7. The "unrolled loop" stack probe variant in modified hello-rust.
+
+```rust
 fn main() {
-    let _: [u64; 1024] = [0; 1024];
-    hello();
+    let v: [u8; 65536] = [1; 65536];
+    let first = &v[0];
+    println!("The first element is: {first}");
 }
 ```
-Fig 7. Modified hello-rust.
+Fig. 8. hello-rust-stack-probe-2 program.
 
-![Screenshot of IDA Pro listing cross references to __rust_probestack in modified hello-rust.](images/image2.png "Cross references to __rust_probestack in modified hello-rust.")
-Fig. 8. IDA Pro listing cross references to `__rust_probestack` in modified
-hello-rust.
+![Screenshot of IDA Pro listing the "standard loop" stack probe variant in modified hello-rust.](images/image2.png "The \"standard loop\" stack probe variant in modified hello-rust.")
+Fig. 9. The "standard loop" stack probe variant in modified hello-rust.
 
-To check if stack clashing protection is enabled for a given binary, search for
-cross references to `__rust_probestack`. The `__rust_probestack` is called in
-the prologue of functions whose stack size is larger than a page size (see Fig.
-6), and can be forced for illustration purposes by modifying the hello-rust
-example as seen in Fig. 7 and Fig. 8.
+To check if stack clashing protection is enabled for a given binary, look for
+any of the two stack probe variants in the prologue of functions whose stack
+size is larger than a page size (see Figs. 6-9).
 
 
 ### Read-only relocations and immediate binding
@@ -350,15 +353,13 @@ instruction pointer, and checking if this value has changed when returning from
 a function. This is also known as “Stack Protector” or “Stack Smashing
 Protector (SSP)”.
 
-The Rust compiler supports stack smashing protection on nightly builds[42].
+The Rust compiler supports stack smashing protection on nightly builds[40].
 
 ![Screenshot of IDA Pro listing cross references to __stack_chk_fail in hello-rust.](images/image3.png "Cross references to __stack_chk_fail in hello-rust.")
 Fig. 14. IDA Pro listing cross references to `__stack_chk_fail` in hello-rust.
 
 To check if stack smashing protection is enabled for a given binary, search for
-cross references to `__stack_chk_fail`. The presence of these cross-references
-in Rust-compiled code (e.g., `hello_rust::main`) indicates that the stack
-smashing protection is enabled (see Fig. 14).
+cross references to `__stack_chk_fail` (see Fig. 14).
 
 
 ### Forward-edge control flow protection
@@ -380,17 +381,14 @@ commercially available [grsecurity/PaX Reuse Attack Protector
 (RAP)](https://grsecurity.net/rap_faq).
 
 The Rust compiler supports forward-edge control flow protection on nightly
-builds[40]-[41] <sup id="fnref:6" role="doc-noteref"><a href="#fn:6"
+builds[41]-[42] <sup id="fnref:6" role="doc-noteref"><a href="#fn:6"
 class="footnote">6</a></sup>.
 
 ```text
-$ readelf -s -W target/debug/rust-cfi | grep "\.cfi"
-    12: 0000000000005170    46 FUNC    LOCAL  DEFAULT   14 _RNvCsjaOHoaNjor6_8rust_cfi7add_one.cfi
-    15: 00000000000051a0    16 FUNC    LOCAL  DEFAULT   14 _RNvCsjaOHoaNjor6_8rust_cfi7add_two.cfi
-    17: 0000000000005270   396 FUNC    LOCAL  DEFAULT   14 _RNvCsjaOHoaNjor6_8rust_cfi4main.cfi
-...
+$ readelf -s -W target/release/hello-rust | grep "\.cfi"
+     5: 0000000000006480   657 FUNC    LOCAL  DEFAULT   15 _ZN10hello_rust4main17h4e359f1dcd627c83E.cfi
 ```
-Fig. 15. Checking if LLVM CFI is enabled for a given binary[41].
+Fig. 15. Checking if LLVM CFI is enabled for a given binary[42].
 
 The presence of symbols suffixed with ".cfi" or the `__cfi_init` symbol (and
 references to `__cfi_check`) indicates that LLVM CFI (i.e., forward-edge
@@ -429,21 +427,21 @@ Newer processors provide hardware assistance for backward-edge control flow
 protection, such as ARM Pointer Authentication, and Intel Shadow Stack as part
 of Intel CET.
 
-The Rust compiler supports shadow stack for aarch64 only <sup id="fnref:7"
-role="doc-noteref"><a href="#fn:7" class="footnote">7</a></sup> on nightly Rust
-compilers [43]-[44]. Safe stack is available on nightly Rust compilers
-[45]-[46].
+The Rust compiler supports shadow stack for the AArch64 architecture<sup
+id="fnref:7" role="doc-noteref"><a href="#fn:7" class="footnote">7</a></sup>on
+nightly builds[43]-[44], and supports safe stack also on nightly
+builds[45]-[46].
 
 ```text
 $ readelf -s target/release/hello-rust | grep __safestack_init
-  1177: 00000000000057b0   444 FUNC    GLOBAL DEFAULT    9 __safestack_init
+   678: 0000000000008c80   426 FUNC    GLOBAL DEFAULT   15 __safestack_init
 ```
 Fig. 16. Checking if LLVM SafeStack is enabled for a given binary.
 
 The presence of the `__safestack_init` symbol indicates that LLVM SafeStack is
-enabled for a given binary (see Fig. 16). Conversely, the absence of the
-`__safestack_init` symbol indicates that LLVM SafeStack is not enabled for a
-given binary.
+enabled for a given binary. Conversely, the absence of the `__safestack_init`
+symbol indicates that LLVM SafeStack is not enabled for a given binary (see
+Fig. 16).
 
 <small id="fn:7">7\. The shadow stack implementation for the AMD64 architecture
 and equivalent in LLVM was removed due to performance and security issues. <a
@@ -560,19 +558,19 @@ to `READ_IMPLIES_EXEC`).
 25. A. Clark. “Explicitly disable stack execution on linux and bsd #30859.”
     GitHub. <https://github.com/rust-lang/rust/pull/30859>.
 
-26. “Replace stack overflow checking with stack probes #16012.” GitHub.
+26. Zoxc. “Replace stack overflow checking with stack probes #16012.” GitHub.
     <https://github.com/rust-lang/rust/issues/16012>.
 
-27. B. Striegel. “Extend stack probe support to non-tier-1 platforms, and
-    clarify policy for mitigating LLVM-dependent unsafety #43241.” GitHub.
-    <https://github.com/rust-lang/rust/issues/43241>.
-
-28. A. Crichton. “rustc: Implement stack probes for x86 #42816.” GitHub.
+27. A. Crichton. “rustc: Implement stack probes for x86 #42816.” GitHub.
     <https://github.com/rust-lang/rust/pull/42816>.
 
-29. A. Crichton. “Add \_\_rust\_probestack intrinsic #175.” GitHub.
+28. A. Crichton. “Add \_\_rust\_probestack intrinsic #175.” GitHub.
     <https://github.com/rust-lang/compiler-builtins/pull/175>.
 
+29. S. Guelton, S. Ledru, J. Stone. “Bringing Stack Clash Protection to Clang /
+    X86 — the Open Source Way.” The LLVM Project Blog.
+    <https://blog.llvm.org/posts/2021-01-05-stack-clash-protection/>.
+
 30. B. Anderson. “Consider applying -Wl,-z,relro or -Wl,-z,relro,-z,now by
     default #29877.” GitHub. <https://github.com/rust-lang/rust/issues/29877>.
 
@@ -605,16 +603,16 @@ to `READ_IMPLIES_EXEC`).
 39. A. Crichton. “Remove the alloc\_jemalloc crate #55238.” GitHub.
     <https://github.com/rust-lang/rust/pull/55238>.
 
-40. R. de C Valle. “Tracking Issue for LLVM Control Flow Integrity (CFI) Support
+40. bbjornse. “Add codegen option for using LLVM stack smash protection #84197.”
+    GitHub. <https://github.com/rust-lang/rust/pull/84197>
+
+41. R. de C. Valle. “Tracking Issue for LLVM Control Flow Integrity (CFI) Support
     for Rust #89653.” GitHub. <https://github.com/rust-lang/rust/issues/89653>.
 
-41. “ControlFlowIntegrity.” The Rust Unstable Book.
+42. “ControlFlowIntegrity.” The Rust Unstable Book.
     [https://doc.rust-lang.org/unstable-book/compiler-flags/sanitizer.html#controlflowintegrity](../unstable-book/compiler-flags/sanitizer.html#controlflowintegrity).
 
-42. bbjornse. “add codegen option for using LLVM stack smash protection #84197.”
-    GitHub. <https://github.com/rust-lang/rust/pull/84197>
-
-43. ivanloz. “Add support for LLVM ShadowCallStack. #98208.” GitHub.
+43. I. Lozano. “Add support for LLVM ShadowCallStack #98208.” GitHub.
     <https://github.com/rust-lang/rust/pull/98208>.
 
 44. “ShadowCallStack.” The Rust Unstable Book.