Re: [PATCH v2] Disable -fsplit-stack support on non-glibc targets

[Uros Bizjak <ubizjak@gmail.com>]

On Thu, Jan 20, 2022 at 11:52 PM Richard Sandiford
<richard.sandiford@arm.com> wrote:
>
> cc:ing the x86 and s390 maintainers
>
> soeren--- via Gcc-patches <gcc-patches@gcc.gnu.org> writes:
> > From: Sören Tempel <soeren@soeren-tempel.net>
> >
> > The -fsplit-stack option requires the pthread_t TCB definition in the
> > libc to provide certain struct fields at specific hardcoded offsets. As
> > far as I know, only glibc provides these fields at the required offsets.
> > Most notably, musl libc does not have these fields. However, since gcc
> > accesses the fields using a fixed offset, this does not cause a
> > compile-time error, but instead results in a silent memory corruption at
> > run-time with musl libc. For example, on s390x libgcc's
> > __stack_split_initialize CTOR will overwrite the cancel field in the
> > pthread_t TCB on musl.
> >
> > The -fsplit-stack option is used within the gcc code base itself by
> > gcc-go (if available). On musl-based systems with split-stack support
> > (i.e. s390x or x86) this causes Go programs compiled with gcc-go to
> > misbehave at run-time.
> >
> > This patch fixes gcc-go on musl by disabling -fsplit-stack in gcc itself
> > since it is not supported on non-glibc targets anyhow. This is achieved
> > by checking if gcc targets a glibc-based system. This check has been
> > added for x86 and s390x, the rs6000 config already checks for
> > TARGET_GLIBC_MAJOR. Other architectures do not have split-stack
> > support. With this patch applied, the gcc-go configure script will
> > detect that -fsplit-stack support is not available and will not use it.
> >
> > See https://www.openwall.com/lists/musl/2012/10/16/12
> >
> > This patch was written under the assumption that glibc is the only libc
> > implementation which supports the required fields at the required
> > offsets in the pthread_t TCB. The patch has been tested on Alpine Linux
> > Edge on the s390x and x86 architectures by bootstrapping Google's Go
> > implementation with gcc-go.
> >
> > Signed-off-by: Sören Tempel <soeren@soeren-tempel.net>
> >
> > gcc/ChangeLog:
> >
> >       * common/config/s390/s390-common.c (s390_supports_split_stack):
> >       Only support split-stack on glibc targets.
> >       * config/i386/gnu-user-common.h (STACK_CHECK_STATIC_BUILTIN): Ditto.
> >       * config/i386/gnu.h (defined): Ditto.

LGTM for x86 parts.

Thanks,
Uros.

> > ---
> > This version of the patch addresses feedback by Andrew Pinski and uses
> > OPTION_GLIBC as well as opts->x_linux_libc == LIBC_GLIBC to detect glibc
> > targets (instead of relying on TARGET_GLIBC_MAJOR).
> >
> >  gcc/common/config/s390/s390-common.c | 11 +++++++++--
> >  gcc/config/i386/gnu-user-common.h    |  5 +++--
> >  gcc/config/i386/gnu.h                |  6 +++++-
> >  3 files changed, 17 insertions(+), 5 deletions(-)
>
> Sorry for the slow review.  The patch LGTM bar some minor formatting
> nits below, but target maintainers should have the final say.
>
> > diff --git a/gcc/common/config/s390/s390-common.c b/gcc/common/config/s390/s390-common.c
> > index b6bc8501742..fc86e0bc5e7 100644
> > --- a/gcc/common/config/s390/s390-common.c
> > +++ b/gcc/common/config/s390/s390-common.c
> > @@ -116,13 +116,20 @@ s390_handle_option (struct gcc_options *opts ATTRIBUTE_UNUSED,
> >
> >  /* -fsplit-stack uses a field in the TCB, available with glibc-2.23.
> >     We don't verify it, since earlier versions just have padding at
> > -   its place, which works just as well.  */
> > +   its place, which works just as well. For other libc implementations
>
> GCC style is to use 2 spaces after a full stop.  Same for the x86 part.
>
> > +   we disable the feature entirely to avoid corrupting the TCB.  */
> >
> >  static bool
> >  s390_supports_split_stack (bool report ATTRIBUTE_UNUSED,
> >                          struct gcc_options *opts ATTRIBUTE_UNUSED)
>
> These parameters are no longer unused after the patch, so it'd be good
> to remove the attributes.
>
> >  {
> > -  return true;
> > +  if (opts->x_linux_libc == LIBC_GLIBC) {
> > +    return true;
> > +  } else {
> > +    if (report)
> > +      error("%<-fsplit-stack%> currently only supported on GNU/Linux");
> > +    return false;
> > +  }
>
> Normal GCC formatting would be something like:
>
>   if (opts->x_linux_libc == LIBC_GLIBC)
>     return true;
>
>   if (report)
>     error ("%<-fsplit-stack%> currently only supported on GNU/Linux");
>   return false;
>
> Sorry for the fussy rules.
>
> Thanks,
> Richard
>
> >  }
> >
> >  #undef TARGET_DEFAULT_TARGET_FLAGS
> > diff --git a/gcc/config/i386/gnu-user-common.h b/gcc/config/i386/gnu-user-common.h
> > index 00226f5a455..6e13315b5a3 100644
> > --- a/gcc/config/i386/gnu-user-common.h
> > +++ b/gcc/config/i386/gnu-user-common.h
> > @@ -66,7 +66,8 @@ along with GCC; see the file COPYING3.  If not see
> >  #define STACK_CHECK_STATIC_BUILTIN 1
> >
> >  /* We only build the -fsplit-stack support in libgcc if the
> > -   assembler has full support for the CFI directives.  */
> > -#if HAVE_GAS_CFI_PERSONALITY_DIRECTIVE
> > +   assembler has full support for the CFI directives and
> > +   targets glibc.  */
> > +#if HAVE_GAS_CFI_PERSONALITY_DIRECTIVE && OPTION_GLIBC
> >  #define TARGET_CAN_SPLIT_STACK
> >  #endif
> > diff --git a/gcc/config/i386/gnu.h b/gcc/config/i386/gnu.h
> > index 25fbc07f58c..adfe817201e 100644
> > --- a/gcc/config/i386/gnu.h
> > +++ b/gcc/config/i386/gnu.h
> > @@ -35,7 +35,11 @@ along with GCC.  If not, see <http://www.gnu.org/licenses/>.
> >     crti.o%s %{static:crtbeginT.o%s;shared|pie:crtbeginS.o%s;:crtbegin.o%s}"
> >  #endif
> >
> > -#ifdef TARGET_LIBC_PROVIDES_SSP
> > +/* -fsplit-stack uses a field in the TCB at a fixed offset. This
> > +   field is only available for glibc. Disable -fsplit-stack for
> > +   other libc implementation to avoid silent TCB corruptions.  */
> > +
> > +#if defined (TARGET_LIBC_PROVIDES_SSP) && OPTION_GLIBC
> >
> >  /* i386 glibc provides __stack_chk_guard in %gs:0x14.  */
> >  #define TARGET_THREAD_SSP_OFFSET        0x14