public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "arjan at linux dot intel dot com" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug c/26457]  New: -fstack-protector leaks the upper bits of RAX
Date: Fri, 24 Feb 2006 15:08:00 -0000	[thread overview]
Message-ID: <bug-26457-12259@http.gcc.gnu.org/bugzilla/> (raw)

The following code snippet, compiled with -Os -fstack-protector:
#include <string.h>


int  StringChecksum(char *s)
{
        char buffer[2048];
        int i;
        int checksum = 0;

        memset(buffer, 0, 2048);
        strcpy(buffer, s);

        for (i=0; i<2048; i++)
                checksum += buffer[i];

        return checksum;
}

leads to the following snippet of assembly for the part where gcc puts the
canary value on the stack: (part of the full assembly of the function)

        movq    %rsp, %rdi
        movq    %fs:40, %rax
        movq    %rax, 2056(%rsp)
        xorl    %eax, %eax
        call    memset

the key instruction for this bug is the "xorl %eax, %eax". The intent of that
instruction seems to be to not leak the canary value into the actual function
code; however the canary value is 64 bits and in RAX, while the XOR is only
zeroing the lower 32 bits. For consistency and information security, this XOR
should, I think, clear all of RAX (which is same-cost anyway both in size and
execution)


-- 
           Summary: -fstack-protector leaks the upper bits of RAX
           Product: gcc
           Version: 4.1.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: arjan at linux dot intel dot com
  GCC host triplet: x86_64-redhat-linux


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=26457


             reply	other threads:[~2006-02-24 15:05 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-02-24 15:08 arjan at linux dot intel dot com [this message]
2006-02-24 15:12 ` [Bug target/26457] " jakub at gcc dot gnu dot org
2006-02-24 15:20 ` pinskia at gcc dot gnu dot org
2006-03-02 14:00 ` pinskia at gcc dot gnu dot org
2006-03-02 14:32 ` pluto at agmk dot net
2006-03-02 14:48 ` jakub at gcc dot gnu dot org

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-26457-12259@http.gcc.gnu.org/bugzilla/ \
    --to=gcc-bugzilla@gcc.gnu.org \
    --cc=gcc-bugs@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).