Bug 97928 - -fstack-clash-protection probe miss
Summary: -fstack-clash-protection probe miss
Status: NEW
Alias: None
Product: gcc
Classification: Unclassified
Component: target (show other bugs)
Version: 11.0
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-20 12:47 UTC by sguelton
Modified: 2020-11-26 08:29 UTC (History)
5 users (show)

See Also:
Host:
Target: x86_64-*-*
Build:
Known to work:
Known to fail:
Last reconfirmed: 2020-11-23 00:00:00


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description sguelton 2020-11-20 12:47:37 UTC
The compilation of the following code

```c
#include <alloca.h>

int square(int num) {
    char foo[6000];
    char* bar = alloca(num * num);
    return foo[num] + bar[num];
}
```

with gcc -fstack-clash-protection trunk yields the following assembly (full assembly here https://godbolt.org/z/95636K)

```asm
square:
        push    rbp
        mov     rbp, rsp
        sub     rsp, 4096
        or      QWORD PTR [rsp], 0
        sub     rsp, 1936
#...
.L2:
        cmp     rsp, rdx
        je      .L3
        sub     rsp, 4096
        or      QWORD PTR [rsp+4088], 0
        jmp     .L2
#...
```

there's a potential sequence here that jumps over a ``PAGE_SIZE`` guard:

```asm
sub     rsp, 1936
...
sub     rsp, 4096
<< signal here >>
or      QWORD PTR [rsp+4088], 0
```

If a signal is received at << signal here >>, then the stack may points behind the page guard.

It seems to me the following achieve the same protection level.

```asm
.L2:
        cmp     rsp, rdx
        je      .L3
        or      QWORD PTR [rsp], 0
        sub     rsp, 4096
        jmp     .L2
```
Comment 1 Martin Liška 2020-11-23 14:44:10 UTC
@Jeff: Can you please take a look?
Comment 2 Jeffrey A. Law 2020-11-23 15:34:52 UTC
I took a peek when Serge pointed me at the issue.  I think there's a window where a signal handler could clash.  It'd be hard to exploit, but we should fix it.  It's on my TODO list.