This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Stack protector: leak of guard's address on stack


It's not the canari which is spilled in this case, but the address to the
canari. Which means an attacker could make it point to something else than
the real canari.

On 27 April 2018 at 13:16, Jakub Jelinek <jakub@redhat.com> wrote:

> On Thu, Apr 19, 2018 at 06:17:26PM +0100, Thomas Preudhomme wrote:
> > For stack protector to be robust, at no point in time the guard against
> > which the canari is compared must be spilled to the stack. This is
> achieved
> > by having dedicated insn pattern for setting the canari and comparing it
> > against the guard which doesn't reflect at RTL what is happening. However
> > computing the address of the guard is done using standard movsi pattern
> and
> > can thus be spilled (see PR85434). I'm reaching out to the community for
> > ideas on how to avoid this.
>
> Usually targets just put the canary into TLS area, then there is nothing to
> spill.
>
>         Jakub
>


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]