From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 56BEE3858C27; Mon, 25 Oct 2021 11:35:14 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 56BEE3858C27 From: "ardb at kernel dot org" To: gcc-bugs@gcc.gnu.org Subject: [Bug target/102926] New: TLS register value is spilled to the stack instead of reloaded from the system register Date: Mon, 25 Oct 2021 11:35:14 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: target X-Bugzilla-Version: 12.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: ardb at kernel dot org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone cf_gcctarget Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Oct 2021 11:35:14 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D102926 Bug ID: 102926 Summary: TLS register value is spilled to the stack instead of reloaded from the system register Product: gcc Version: 12.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: target Assignee: unassigned at gcc dot gnu.org Reporter: ardb at kernel dot org Target Milestone: --- Target: ARM The code below uses the hardware TLS register on ARM, and instead of reload= ing its value directly from the system register, it spills its value to the sta= ck. This is suboptimal, and given that the TLS register is being proposed as an alternative reference for the stack protector canary, it is also a security concern, as an attacker that controls the stack may be able to control both sides of the equation in the stack protector check occurring at the end of = the function. Instead, I would expect any subsequent uses of the thread pointer to simply issue the MRC again, which doesn't touch memory. $ cat /tmp/spill.c=20 int foo(int); int bar(void) { int *l =3D __builtin_thread_pointer(); return foo(l[0]) + l[1]; } $ arm-linux-gnueabihf-gcc -o - -S /tmp/spill.c -O3 -mtp=3Dcp15 -ffixed-r4 -ffixed-r5 -ffixed-r6 -ffixed-r7 -ffixed-r8 -ffixed-r9 -ffixed-r10 -fno-omit-frame-pointer .cpu arm10tdmi .arch armv5t .fpu softvfp .eabi_attribute 20, 1 .eabi_attribute 21, 1 .eabi_attribute 23, 3 .eabi_attribute 24, 1 .eabi_attribute 25, 1 .eabi_attribute 26, 2 .eabi_attribute 30, 2 .eabi_attribute 34, 0 .eabi_attribute 18, 4 .file "spill.c" .text .align 2 .global bar .syntax unified .arm .type bar, %function bar: @ args =3D 0, pretend =3D 0, frame =3D 8 @ frame_needed =3D 1, uses_anonymous_args =3D 0 push {fp, lr} add fp, sp, #4 sub sp, sp, #8 mrc p15, 0, r3, c13, c0, 3 @ load_tp_hard ldr r0, [r3] str r3, [fp, #-8] bl foo ldr r3, [fp, #-8] ldr r3, [r3, #4] add r0, r0, r3 sub sp, fp, #4 @ sp needed pop {fp, pc} .size bar, .-bar .ident "GCC: (GNU) 12.0.0 20211024 (experimental)" .section .note.GNU-stack,"",%progbits=