Bug 63293 - [AArch64] can read from deallocated stack
Summary: [AArch64] can read from deallocated stack
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: target (show other bugs)
Version: 5.0
: P3 normal
Target Milestone: 5.0
Assignee: Jiong Wang
URL:
Keywords: wrong-code
Depends on:
Blocks:
 
Reported: 2014-09-18 09:12 UTC by Jiong Wang
Modified: 2015-07-21 17:32 UTC (History)
1 user (show)

See Also:
Host:
Target: aarch64
Build:
Known to work:
Known to fail:
Last reconfirmed: 2014-09-18 00:00:00

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jiong Wang 2014-09-18 09:12:53 UTC 
With GCC: (GNU) 5.0.0 20140917

give the following testcase


  typedef double t;

  void bar (t*);

  t g ()
  {
    t data[8192];

    data[4293] = data[4266] = 0;
    bar(data);
    return data[4293] + data[4266];
  }

Compiling with "-O2 -mno-lra -fomit-frame-pointer" we get:

        .cpu generic+fp+simd
        .file   "test.c"
        .text
        .align  2
        .global f
        .type   f, %function
f:
        add     x1, x0, 4093
        add     x0, x0, 4096
        ldr     d1, [x1]
        ldr     d0, [x0, 170]
        fadd    d0, d1, d0
        ret
        .size   f, .-f
        .align  2
        .global g
        .type   g, %function
g:
        sub     sp, sp, #65536
        fmov    d0, xzr
        str     x30, [sp, -16]!
        add     x1, sp, 32768
        add     x0, sp, 16
        str     d0, [x1, 1376]
        str     d0, [x1, 1592]
        bl      bar
        add     x0, sp, 32768
        ldr     x30, [sp], 16
        ldr     d0, [x0, 1376]
        add     sp, sp, 65536
        ldr     d1, [x0, 1592]
        fadd    d0, d1, d0
        ret

  Note that at the end we have x0=sp+32768; sp+=65536; ldr [x0+1592]
  Which means the last load is from deallocated stack space.

  This is a silent wrong-code bug of the worst kind; programs could fail  sporadically with this if an interrupt happens at the wrong instant in time and data was written onto the current stack.
Comment 1 Andrew Pinski 2014-09-18 12:01:53 UTC 
I don't remember seeing a stack tie being emitted from the backend.
Comment 2 ktkachov 2014-09-18 12:40:40 UTC 
Confirmed
Comment 3 Jiong Wang 2014-10-28 11:14:47 UTC 
patch pending review here

https://gcc.gnu.org/ml/gcc-patches/2014-09/msg02292.html
Comment 4 Jiong Wang 2014-11-04 17:13:57 UTC 
Author: jiwang
Date: Tue Nov  4 17:13:25 2014
New Revision: 217091

URL: https://gcc.gnu.org/viewcvs?rev=217091&root=gcc&view=rev
Log:
[AArch64] fix unsafe access to deallocated stack

2014-11-04  Jiong Wang  <jiong.wang@arm.com>
2014-11-04  Wilco Dijkstra  <wilco.dijkstra@arm.com>

  gcc/
    PR target/63293
    * config/aarch64/aarch64.c (aarch64_expand_epiloue): Add barriers before
    stack adjustment.


Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/config/aarch64/aarch64.c
Comment 5 Jiong Wang 2014-11-04 17:15:35 UTC 
mark as fixed.
Comment 6 collison 2015-02-10 08:17:41 UTC 
Author: collison
Date: Tue Feb 10 08:17:09 2015
New Revision: 220574

URL: https://gcc.gnu.org/viewcvs?rev=220574&root=gcc&view=rev
Log:
2015-02-10  Michael Collison  <michael.collison@linaro.org>

	Backport from trunk r217091.
	2014-11-04  Jiong Wang  <jiong.wang@arm.com>
	2014-11-04  Wilco Dijkstra  <wilco.dijkstra@arm.com>

	PR target/63293
	* config/aarch64/aarch64.c (aarch64_expand_epiloue): Add barriers before
	stack adjustment.


Modified:
    branches/linaro/gcc-4_9-branch/gcc/ChangeLog.linaro
    branches/linaro/gcc-4_9-branch/gcc/config/aarch64/aarch64.c
Comment 7 ctice 2015-07-21 17:32:49 UTC 
Author: ctice
Date: Tue Jul 21 17:32:17 2015
New Revision: 226049

URL: https://gcc.gnu.org/viewcvs?rev=226049&root=gcc&view=rev
Log:
Backport patch from GCC FSF to fix stack problem for aarch64:

2014-11-04  Jiong Wang  <jiong.wang@arm.com>
2014-11-04  Wilco Dijkstra  <wilco.dijkstra@arm.com>

  PR target/63293
  * config/aarch64/aarch64.c (aarch64_expand_epiloue): Add barriers before
  stack adjustment.


Modified:
    branches/google/gcc-4_9-mobile/gcc/config/aarch64/aarch64.c