This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug c/26457] New: -fstack-protector leaks the upper bits of RAX
- From: "arjan at linux dot intel dot com" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: 24 Feb 2006 15:05:42 -0000
- Subject: [Bug c/26457] New: -fstack-protector leaks the upper bits of RAX
- Reply-to: gcc-bugzilla at gcc dot gnu dot org
The following code snippet, compiled with -Os -fstack-protector:
#include <string.h>
int StringChecksum(char *s)
{
char buffer[2048];
int i;
int checksum = 0;
memset(buffer, 0, 2048);
strcpy(buffer, s);
for (i=0; i<2048; i++)
checksum += buffer[i];
return checksum;
}
leads to the following snippet of assembly for the part where gcc puts the
canary value on the stack: (part of the full assembly of the function)
movq %rsp, %rdi
movq %fs:40, %rax
movq %rax, 2056(%rsp)
xorl %eax, %eax
call memset
the key instruction for this bug is the "xorl %eax, %eax". The intent of that
instruction seems to be to not leak the canary value into the actual function
code; however the canary value is 64 bits and in RAX, while the XOR is only
zeroing the lower 32 bits. For consistency and information security, this XOR
should, I think, clear all of RAX (which is same-cost anyway both in size and
execution)
--
Summary: -fstack-protector leaks the upper bits of RAX
Product: gcc
Version: 4.1.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: arjan at linux dot intel dot com
GCC host triplet: x86_64-redhat-linux
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=26457