Compiling this little bit of code with -fstack-protector-all extern int foo (int); int bar (int a, int b) { return foo (a + b); } produces on x86-64 the following object code: 0: 01 f7 add %esi,%edi 2: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax 9: 00 00 b: 48 89 44 24 f8 mov %rax,0xfffffffffffffff8(%rsp) 10: 31 c0 xor %eax,%eax 12: e9 00 00 00 00 jmpq 17 <bar+0x17> The canary is set up but not tested. Before the jump to the next function the value must be checked. This also applies to -fstack-protector (with appropriate input) and to all architectures.
Confirmed, it is a little more obvious on ppc-darwin: _bar: mflr r0 stmw r29,-12(r1) stw r0,8(r1) stwu r1,-96(r1) lis r29,ha16(___stack_chk_guard) la r29,lo16(___stack_chk_guard)(r29) lwz r0,0(r29) stw r0,76(r1) li r0,0 add r3,r3,r4 bl _foo lwz r0,76(r1) lwz r2,0(r29) xor. r0,r0,r2 li r2,0 beq+ cr0,L3 bl ___stack_chk_fail L3: addi r1,r1,96 lwz r0,8(r1) mtlr r0 lmw r29,-12(r1) blr
Created attachment 9424 [details] proposed patch This should fix it. I'm not sure how to go about testing this though...
Subject: Bug 23221 CVSROOT: /cvs/gcc Module name: gcc Changes by: rth@gcc.gnu.org 2005-08-04 03:57:43 Modified files: gcc : ChangeLog calls.c function.c tree.h Log message: PR 23221 * function.c (stack_protect_epilogue): Export. * tree.h (stack_protect_epilogue): Declare. * calls.c (expand_call): Call it. Patches: http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/ChangeLog.diff?cvsroot=gcc&r1=2.9652&r2=2.9653 http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/calls.c.diff?cvsroot=gcc&r1=1.398&r2=1.399 http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/function.c.diff?cvsroot=gcc&r1=1.639&r2=1.640 http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/tree.h.diff?cvsroot=gcc&r1=1.750&r2=1.751
Fixed.