public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "arjan at linux dot intel dot com" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug c/26457] New: -fstack-protector leaks the upper bits of RAX Date: Fri, 24 Feb 2006 15:08:00 -0000 [thread overview] Message-ID: <bug-26457-12259@http.gcc.gnu.org/bugzilla/> (raw) The following code snippet, compiled with -Os -fstack-protector: #include <string.h> int StringChecksum(char *s) { char buffer[2048]; int i; int checksum = 0; memset(buffer, 0, 2048); strcpy(buffer, s); for (i=0; i<2048; i++) checksum += buffer[i]; return checksum; } leads to the following snippet of assembly for the part where gcc puts the canary value on the stack: (part of the full assembly of the function) movq %rsp, %rdi movq %fs:40, %rax movq %rax, 2056(%rsp) xorl %eax, %eax call memset the key instruction for this bug is the "xorl %eax, %eax". The intent of that instruction seems to be to not leak the canary value into the actual function code; however the canary value is 64 bits and in RAX, while the XOR is only zeroing the lower 32 bits. For consistency and information security, this XOR should, I think, clear all of RAX (which is same-cost anyway both in size and execution) -- Summary: -fstack-protector leaks the upper bits of RAX Product: gcc Version: 4.1.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c AssignedTo: unassigned at gcc dot gnu dot org ReportedBy: arjan at linux dot intel dot com GCC host triplet: x86_64-redhat-linux http://gcc.gnu.org/bugzilla/show_bug.cgi?id=26457
next reply other threads:[~2006-02-24 15:05 UTC|newest] Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top 2006-02-24 15:08 arjan at linux dot intel dot com [this message] 2006-02-24 15:12 ` [Bug target/26457] " jakub at gcc dot gnu dot org 2006-02-24 15:20 ` pinskia at gcc dot gnu dot org 2006-03-02 14:00 ` pinskia at gcc dot gnu dot org 2006-03-02 14:32 ` pluto at agmk dot net 2006-03-02 14:48 ` jakub at gcc dot gnu dot org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-26457-12259@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).