Build Git with Stack Smashing Protector enabled

[dscho]

Reference: http://wiki.osdev.org/Stack_Smashing_Protector

This was raised to me privately recently as a suggestion to harden Git from buffer overflows. From the link above:

The Stack Smashing Protector (SSP) compiler feature helps detect stack buffer overrun by aborting if a secret value on the stack is changed. This serves a dual purpose in making the occurrence of such bugs visible and as exploit mitigation against return-oriented programming.

I've been looking into building the latest version of Git for Windows with this flag enabled, and am running through the test suite with these parameters:

CFLAGS="-g -O2 -Wall -fstack-protector" make test

This injects a stack smashing protector into "functions with vulnerable objects". There's also some tougher options for GCC that can be used here -fstack-protector-strong and -fstack-protector-all but I think the first one is Good Enough™.

I'm not sure how upstream feels about this, but we can deal with that later.

Thoughts?

[dscho]

Thoughts?

We can easily add that flag for Git for Windows only. And once we can demonstrate that it does not hurt, but helps things instead, we can suggest it to upstream. (Those are my thoughts on the matter 😺 )

[dscho]

So I turned this into a Pull Request. All of the regression test suite passes with this.

[buildhive]

Git for Windows » git #29 SUCCESS
This pull request looks good
(what's this?)

[dscho]

@shiftkey could you have a look?

[shiftkey]

@dscho ERR_CONNECTION_TIMED_OUT ?

[danilaml]

Does it have any visible effect on performance?

[dscho]

Does it have any visible effect on performance?

Well, this is disappointing. I really think that all my work resulted in a project that empowers people to answer such questions themselves instead of putting even more load onto my shoulders. The answer can be easily obtained by using the SDK yourself, compiling Git with and without the flag, and running a decently-long-running task several times.

So instead of letting me research whether -fstack-protector-strong is a better option, and instead of getting assistance to make Git for Windows better, I now have to work myself even more on this issue.

[danilaml]

@dscho sorry, my question was generally addressed to @shiftkey because he made this PR and most likely has more means and understanding to answer it. There is no need to overreact, I was just wondering. I don't have dev environment installed and not familiar with benchmarking git to test it myself. But the fact that git is very high quality code that it would be less prone to this kind of attack raised my concern about if the benefit is really worth it.
P.S. Sorry for this stream of thoughts.

[shiftkey]

@danilaml

Let's start from the beginning:

Does it have any visible effect on performance?

I'd started running the test suite (this is actually easy to do, I recommend trying it out when you have a spare moment) after talking with @dscho about the proposal and around the time of opening this issue.

most likely has more means and understanding to answer it.

This adds code before and after specific methods which are vulnerable to overflowing the stack, so that you can verify at runtime that nothing unexpected has occurred. Again, this isn't added throughout the entire codebase (although we can enable that), but to address specific known risks.

I mostly wanted to focus on impacting tests (that is, finding something now breaks with the flag set). I didn't have any hard data to provide at the time, but given how easy it was to enable I'm happy to listen to concerns if people spot things which are impacted.

This was raised to me by a security researcher, and as we've seen in that past Git is not immune to these sorts of issues, I'd like to see us be more proactive and defensive about security risks.

There is no need to overreact, I was just wondering.

Please be mindful that Git for Windows is a complex project that a lot of people use and there's only a small team of contributors available.

When a question or issue is clear, concise and contains enough details, it's usually very easy for the maintainer (or even other contributors) to follow up. However, when a question or issue is unclear, it takes time and energy from the maintainer to follow up and understand the details - which means they have less time for the other work they need to do each day.

I appreciate the questions and curiosity, but how questions are phrased can lead to very different reactions from the reader, because we lack the nuance of verbal communication when we're working in a textual medium like this.

[shiftkey]

@dscho thanks for merging this. I couldn't get to the CI build artefacts but I'll have a look at the test suite this week and see if I have anything further to add.

[avih]

@shiftkey sorry for barging in, but IMO the question was concise, clear, and legitimate, considering the potential scope of the impact from this change.

So the bottom line is that the performance impact was not evaluated, but it might if users complain about performance regressions?

Maybe off topic: is there a performance test suite for git or for git for windows?

[shiftkey]

@avih I don't believe the question was directed correctly, as @dscho replied instead of me. That's where the confusion started.

Maybe off topic: is there a performance test suite for git or for git for windows?

There's a number of tests in Git core which are focused on performance: https://github.com/git-for-windows/git/tree/master/t/perf

Here's me running the Git for Windows test suite on my underwhelming Surface Pro 2 which has Windows 10 64-bit Build 10240 installed. You can do the same if you're in Git Bash (which should give you all the tools to build Git from scratch):

git clone https://github.com/git-for-windows/git.git
cd git
make
cd t/perf/
make

Which returns these numbers - each line is the classic Unix time output - real (user + system) - all values in seconds.

Test	d668187	c6f19b0
0000.1: test_perf_default_repo works	0.31(0.03+0.21)	0.31(0.07+0.18)
0000.2: test_checkout_worktree works	0.47(0.09+0.34)	0.53(0.12+0.37)
0000.4: export a weird var	0.13(0.07+0.03)	0.17(0.01+0.13)
0000.6: important variables available in subshells	0.17(0.07+0.07)	0.17(0.04+0.09)
0000.7: test-lib-functions correctly loaded in subshells	0.26(0.06+0.20)	0.24(0.04+0.12)
0001.1: rev-list --all	2.16(0.04+0.15)	1.93(0.03+0.12)
0001.2: rev-list --all --objects	11.20(0.04+0.13)	18.82(0.04+0.20)
0001.4: rev-list $commit --not --all	0.29(0.04+0.18)	0.30(0.06+0.15)
0001.5: rev-list --objects $commit --not --all	0.25(0.07+0.10)	0.30(0.04+0.18)
0002.1: read_cache/discard_cache 1000 times	3.50(0.06+0.12)	3.34(0.12+0.07)
4000.1: log -3000 (baseline)	0.57(0.03+0.18)	0.56(0.07+0.12)
4000.2: log --raw -3000 (tree-only)	1.39(0.04+0.10)	1.73(0.04+0.16)
4000.3: log -p -3000 (Myers)	7.11(0.04+0.09)	7.11(0.07+0.12)
4000.4: log -p -3000 --histogram	7.80(0.06+0.13)	7.72(0.09+0.13)
4000.5: log -p -3000 --patience	8.48(0.04+0.09)	9.02(0.12+0.15)
4001.2: diff --no-index	0.23(0.07+0.13)	0.29(0.07+0.12)
4211.2: git rev-list --topo-order (baseline)	2.09(0.04+0.16)	1.85(0.09+0.13)
4211.3: git log --follow (baseline for -M)	3.46(0.06+0.13)	4.35(0.06+0.12)
4211.4: git log -L	3.16(0.03+0.07)	3.20(0.09+0.15)
4211.5: git log -M -L	16.83(0.07+0.10)	17.52(0.01+0.20)
5302.2: index-pack 0 threads	44.12(0.04+0.13)	45.10(0.07+0.13)
5302.3: index-pack 1 thread	44.94(0.04+0.13)	45.25(0.04+0.09)
5302.4: index-pack 2 threads	18.58(0.03+0.04)	18.78(0.00+0.07)
5302.5: index-pack 4 threads	15.34(0.03+0.04)	14.53(0.03+0.07)
5302.6: index-pack 8 threads	15.07(0.04+0.12)	12.44(0.04+0.01)
5302.7: index-pack default number of threads	18.21(0.01+0.20)	17.20(0.00+0.10)
5310.2: repack to disk	12.77(0.01+0.12)	16.78(0.03+0.12)
5310.3: simulated clone	1.16(0.04+0.10)	1.78(0.04+0.13)
5310.4: simulated fetch	3.23(0.06+0.21)	2.69(0.06+0.16)
5310.6: partial bitmap	1.48(0.04+0.12)	44.56(0.03+0.15)
7300.2: clean many untracked sub dirs, check for nested git	37.00(0.13+0.09)	37.39(0.01+0.18)
7300.3: clean many untracked sub dirs, ignore nested git	24.56(0.04+0.13)	26.06(0.01+0.16)
7810.1: grep worktree, cheap regex	0.44(0.06+0.12)	0.46(0.03+0.16)
7810.2: grep worktree, expensive regex	0.58(0.01+0.07)	0.70(0.03+0.07)
7810.3: grep --cached, cheap regex	0.69(0.03+0.15)	0.69(0.04+0.13)
7810.4: grep --cached, expensive regex	2.57(0.03+0.16)	2.28(0.03+0.10)

Partial Bitmap seems to be the only exceptional change here. /me shrugs

[avih]

That's good info. I agree that other than the partial bitmap thing, the rest seem minor at most IMO, which is very good.

Worth keeping in mind then that the partial bitmap thingy regressed ~3000% (30x slower), which is far from negligible on its own.

I am, however, unable to assess how important is it to keep this specific number low, if at all.

[shiftkey]

I'm going to have a look at whether that partial bitmap test is consistently slower

[dscho]

I don't have dev environment installed and not familiar with benchmarking git to test it myself.

@danilaml why did you not ask for that? I could easily have helped you.

[dscho]

sorry for barging in, but IMO the question was concise, clear, and legitimate, considering the potential scope of the impact from this change.

@avih nobody contested that the question was concise, clear or legitimate. Nor the scope. The issue was that some people feel completely happy to load even more tasks on others than they already do. You, for example, could have easily followed the link @shiftkey provided how to run the test suite. Instead, you chose to "barge in" and demonstrate that you are willing to ask, but not to do anything about answering the question. That would be forgivable. If I had not worked that hard to make it easy for you to answer the question. More than half my time is spent on making it easy to contribute to Git for Windows, be it new code, patches, or (as here) contributions that answer an important question.

I mean, you can totally be that type of user who is complacent about their problems and expects others to solve them for you. Or you could take up the challenge, use the already formidable tools in place to work on the problems, and actually get a cozy and warm feeling that you became an Open Sorcerer. Your choice 😜

[dscho]

Worth keeping in mind then that the partial bitmap thingy regressed ~3000% (30x slower), which is far from negligible on its own.

@avih please keep in mind that such a judgement, after having done nothing to help move this ticket along, elicits quite a few bad feelings in me. Quite a few.

[avih]

@avih please keep in mind that such a judgement, after having done nothing to help move this ticket along, elicits quite a few bad feelings in me. Quite a few.

Not only this wasn't judgment, I even explicitly stated that I'm unable to judge or evaluate the importance of this value.

Regardless, please accept my apology if I hurt someone's feelings.

[dscho]

Worth keeping in mind then that the partial bitmap thingy regressed ~3000% (30x slower), which is far from negligible on its own.

@avih now, if you want to give some of the time back you took from @shiftkey and myself, you will go and install the SDK, build Git, run the perf test @shiftkey pointed out, and if you can replicate that terrible slowdown then investigate what causes it.

Helping that way would be the only apology I need.

[avih]

I don't have the capacity for that any time soon.

[dscho]

@avih well, thank you so much.