public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug target/97928] New: -fstack-clash-protection probe miss
@ 2020-11-20 12:47 sguelton at redhat dot com
2020-11-23 14:44 ` [Bug target/97928] " marxin at gcc dot gnu.org
2020-11-23 15:34 ` law at redhat dot com
0 siblings, 2 replies; 3+ messages in thread
From: sguelton at redhat dot com @ 2020-11-20 12:47 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97928
Bug ID: 97928
Summary: -fstack-clash-protection probe miss
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: target
Assignee: unassigned at gcc dot gnu.org
Reporter: sguelton at redhat dot com
Target Milestone: ---
The compilation of the following code
```c
#include <alloca.h>
int square(int num) {
char foo[6000];
char* bar = alloca(num * num);
return foo[num] + bar[num];
}
```
with gcc -fstack-clash-protection trunk yields the following assembly (full
assembly here https://godbolt.org/z/95636K)
```asm
square:
push rbp
mov rbp, rsp
sub rsp, 4096
or QWORD PTR [rsp], 0
sub rsp, 1936
#...
.L2:
cmp rsp, rdx
je .L3
sub rsp, 4096
or QWORD PTR [rsp+4088], 0
jmp .L2
#...
```
there's a potential sequence here that jumps over a ``PAGE_SIZE`` guard:
```asm
sub rsp, 1936
...
sub rsp, 4096
<< signal here >>
or QWORD PTR [rsp+4088], 0
```
If a signal is received at << signal here >>, then the stack may points behind
the page guard.
It seems to me the following achieve the same protection level.
```asm
.L2:
cmp rsp, rdx
je .L3
or QWORD PTR [rsp], 0
sub rsp, 4096
jmp .L2
```
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug target/97928] -fstack-clash-protection probe miss
2020-11-20 12:47 [Bug target/97928] New: -fstack-clash-protection probe miss sguelton at redhat dot com
@ 2020-11-23 14:44 ` marxin at gcc dot gnu.org
2020-11-23 15:34 ` law at redhat dot com
1 sibling, 0 replies; 3+ messages in thread
From: marxin at gcc dot gnu.org @ 2020-11-23 14:44 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97928
Martin Liška <marxin at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |marxin at gcc dot gnu.org
--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
@Jeff: Can you please take a look?
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug target/97928] -fstack-clash-protection probe miss
2020-11-20 12:47 [Bug target/97928] New: -fstack-clash-protection probe miss sguelton at redhat dot com
2020-11-23 14:44 ` [Bug target/97928] " marxin at gcc dot gnu.org
@ 2020-11-23 15:34 ` law at redhat dot com
1 sibling, 0 replies; 3+ messages in thread
From: law at redhat dot com @ 2020-11-23 15:34 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97928
Jeffrey A. Law <law at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Last reconfirmed| |2020-11-23
Ever confirmed|0 |1
Status|UNCONFIRMED |NEW
CC| |law at redhat dot com
--- Comment #2 from Jeffrey A. Law <law at redhat dot com> ---
I took a peek when Serge pointed me at the issue. I think there's a window
where a signal handler could clash. It'd be hard to exploit, but we should fix
it. It's on my TODO list.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-11-23 15:34 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-20 12:47 [Bug target/97928] New: -fstack-clash-protection probe miss sguelton at redhat dot com
2020-11-23 14:44 ` [Bug target/97928] " marxin at gcc dot gnu.org
2020-11-23 15:34 ` law at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).