The compilation of the following code ```c #include <alloca.h> int square(int num) { char foo[6000]; char* bar = alloca(num * num); return foo[num] + bar[num]; } ``` with gcc -fstack-clash-protection trunk yields the following assembly (full assembly here https://godbolt.org/z/95636K) ```asm square: push rbp mov rbp, rsp sub rsp, 4096 or QWORD PTR [rsp], 0 sub rsp, 1936 #... .L2: cmp rsp, rdx je .L3 sub rsp, 4096 or QWORD PTR [rsp+4088], 0 jmp .L2 #... ``` there's a potential sequence here that jumps over a ``PAGE_SIZE`` guard: ```asm sub rsp, 1936 ... sub rsp, 4096 << signal here >> or QWORD PTR [rsp+4088], 0 ``` If a signal is received at << signal here >>, then the stack may points behind the page guard. It seems to me the following achieve the same protection level. ```asm .L2: cmp rsp, rdx je .L3 or QWORD PTR [rsp], 0 sub rsp, 4096 jmp .L2 ```
@Jeff: Can you please take a look?
I took a peek when Serge pointed me at the issue. I think there's a window where a signal handler could clash. It'd be hard to exploit, but we should fix it. It's on my TODO list.