From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-patches-return-490652-listarch-gcc-patches=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 110400 invoked by alias); 21 Nov 2018 17:54:30 -0000
Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-patches.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-help@gcc.gnu.org>
Sender: gcc-patches-owner@gcc.gnu.org
Received: (qmail 110387 invoked by uid 89); 21 Nov 2018 17:54:29 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-2.1 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=
X-HELO: gate.crashing.org
Received: from gate.crashing.org (HELO gate.crashing.org) (63.228.1.57) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 21 Nov 2018 17:54:28 +0000
Received: from gate.crashing.org (localhost.localdomain [127.0.0.1])	by gate.crashing.org (8.14.1/8.14.1) with ESMTP id wALHsHON014566;	Wed, 21 Nov 2018 11:54:18 -0600
Received: (from segher@localhost)	by gate.crashing.org (8.14.1/8.14.1/Submit) id wALHsFMM014561;	Wed, 21 Nov 2018 11:54:15 -0600
Date: Wed, 21 Nov 2018 17:54:00 -0000
From: Segher Boessenkool <segher@kernel.crashing.org>
To: Thomas Preudhomme <thomas.preudhomme@linaro.org>
Cc: kyrylo.tkachov@foss.arm.com,        Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>,        Richard Earnshaw <richard.earnshaw@arm.com>, gcc-patches@gcc.gnu.org
Subject: Re: [PATCH, ARM, ping3] PR85434: Prevent spilling of stack protector guard's address on ARM
Message-ID: <20181121175414.GI23873@gate.crashing.org>
References: <5BAA5DD7.1070502@foss.arm.com> <CAKnkMGvaQ2SSAOChtvjKFsm-ZL+Q6yHwCsUcvbqxEqXUK1URdw@mail.gmail.com> <CAKnkMGuRhKZ-Fb4OuSm53L5t7OWTkT0+2t6SHYH_FH8RFkwknQ@mail.gmail.com> <CAKnkMGt+YXQmqCOm_2YrSR9_H-o-X7LHg=72-Z-e8hiwcnNf=Q@mail.gmail.com> <CAKnkMGsL_1m3eeD18eF92ky5y8jqUnZseoKEgxytoNV98r8S-w@mail.gmail.com> <CAKnkMGt27Xt4+DWNszSuLrqGs5MyxXn=2kHPGCOaV+AnUf8RNg@mail.gmail.com> <CAKnkMGub-3Fenyp5e1LM16oSK6YKkdreDah0mfdcsfuQNd17uA@mail.gmail.com> <5BE45BE6.3030902@foss.arm.com> <CAKnkMGv__2xrAYo4V=qCoipeF-tJ-BG6x0+62gBcHSFr32jwsQ@mail.gmail.com> <CAKnkMGsMvmFuy0uNZjOMWRfXtNOT06VRaWQdDOGiQe2C2YTRjA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAKnkMGsMvmFuy0uNZjOMWRfXtNOT06VRaWQdDOGiQe2C2YTRjA@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
X-IsSubscribed: yes
X-SW-Source: 2018-11/txt/msg01854.txt.bz2

On Fri, Nov 16, 2018 at 02:56:46PM +0000, Thomas Preudhomme wrote:
> In case of high register pressure in PIC mode, address of the stack
> protector's guard can be spilled on ARM targets as shown in PR85434,
> thus allowing an attacker to control what the canary would be compared
> against. ARM does lack stack_protect_set and stack_protect_test insn
> patterns, defining them does not help as the address is expanded
> regularly and the patterns only deal with the copy and test of the
> guard with the canary.
> 
> This problem does not occur for x86 targets because the PIC access and
> the test can be done in the same instruction. Aarch64 is exempt too
> because PIC access insn pattern are mov of UNSPEC which prevents it from
> the second access in the epilogue being CSEd in cse_local pass with the
> first access in the prologue.

The unspecs are not CSEd because they are *different* unspecs (UNSPEC_SP_SET
vs. UNSPEC_SP_TEST; they have different args too, different number of args
even).  Two the same unspecs can be CSEd just fine.


Segher