This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Stack protector: leak of guard's address on stack


On x86 yes, it's actually done in the same instruction that's doing the
comparison if I'm not mistaken. That is not the case for arm and aarch64
though where loading the canari is done separately from the comparison and
does not involve an offset. Computing the address from which to do the load
is yet again done in a separate instruction. Since these are extra
instructions and the address of the canari does not change between the
prologue and epilogue, CSE is done on the address (only on arm backend
though) and due to register pressure the address is spilled on the stack.

On 27 April 2018 at 13:22, Jakub Jelinek <jakub@redhat.com> wrote:

> On Fri, Apr 27, 2018 at 01:17:50PM +0100, Thomas Preudhomme wrote:
> > It's not the canari which is spilled in this case, but the address to the
> > canari. Which means an attacker could make it point to something else
> than
> > the real canari.
>
> When the canary is in TLS area, it is usually small constant away from some
> base register (or segment register) and there is no possibility of having
> that spilled, the addition is done always in the instruction performing
> memory read of the canary.
>
>         Jakub
>


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]