[Bug target/96191] aarch64 stack_protect_test canary leak

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

From: "cvs-commit at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug target/96191] aarch64 stack_protect_test canary leak
Date: Fri, 07 Aug 2020 11:18:01 +0000	[thread overview]
Message-ID: <bug-96191-4-EXUfo4mNh1@http.gcc.gnu.org/bugzilla/> (raw)
In-Reply-To: <bug-96191-4@http.gcc.gnu.org/bugzilla/>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96191

--- Comment #8 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-9 branch has been updated by Richard Sandiford
<rsandifo@gcc.gnu.org>:

https://gcc.gnu.org/g:5380912a17ea09a8996720fb62b1a70c16c8f9f2

commit r9-8794-g5380912a17ea09a8996720fb62b1a70c16c8f9f2
Author: Richard Sandiford <richard.sandiford@arm.com>
Date:   Fri Aug 7 12:17:37 2020 +0100

    aarch64: Clear canary value after stack_protect_test [PR96191]

    The stack_protect_test patterns were leaving the canary value in the
    temporary register, meaning that it was often still in registers on
    return from the function.  An attacker might therefore have been
    able to use it to defeat stack-smash protection for a later function.

    gcc/
            PR target/96191
            * config/aarch64/aarch64.md (stack_protect_test_<mode>): Set the
            CC register directly, instead of a GPR.  Replace the original GPR
            destination with an extra scratch register.  Zero out operand 3
            after use.
            (stack_protect_test): Update accordingly.

    gcc/testsuite/
            PR target/96191
            * gcc.target/aarch64/stack-protector-1.c: New test.
            * gcc.target/aarch64/stack-protector-2.c: Likewise.

    (cherry picked from commit fe1a26429038d7cd17abc53f96a6f3e2639b605f)

next prev parent reply	other threads:[~2020-08-07 11:18 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-14  2:49 [Bug target/96191] New: " wilson at gcc dot gnu.org
2020-07-14  8:22 ` [Bug target/96191] " rsandifo at gcc dot gnu.org
2020-07-14 18:58 ` wilco at gcc dot gnu.org
2020-07-14 22:30 ` wilson at gcc dot gnu.org
2020-08-05 14:19 ` cvs-commit at gcc dot gnu.org
2020-08-06 18:20 ` cvs-commit at gcc dot gnu.org
2020-08-07 11:15 ` cvs-commit at gcc dot gnu.org
2020-08-07 11:15 ` cvs-commit at gcc dot gnu.org
2020-08-07 11:18 ` cvs-commit at gcc dot gnu.org [this message]
2020-08-07 11:18 ` cvs-commit at gcc dot gnu.org
2020-11-17 18:17 ` cvs-commit at gcc dot gnu.org

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-96191-4-EXUfo4mNh1@http.gcc.gnu.org/bugzilla/ \
    --to=gcc-bugzilla@gcc.gnu.org \
    --cc=gcc-bugs@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).