[Bug sanitizer/58543] Invalid unpoisoning of stack redzones on ARM

dodji at seketeli dot org gcc-bugzilla@gcc.gnu.org
Mon Sep 30 10:15:00 GMT 2013 

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58543

--- Comment #4 from dodji at seketeli dot org <dodji at seketeli dot org> ---
Thank you for reporting this bug.

Please find my comments below,


"y.gribov at samsung dot com" <gcc-bugzilla@gcc.gnu.org> a écrit:

> Prologue seems to poison words at frame_shadow_base + { 0, 4, 8, 12, 16, 24,
> 28}:

Right.

>
>   add  r4, r3, #536870912
>   ldr  r3, .L3+8
>   str  r3, [r4]
>   ldr  r3, .L3+12
>   str  r3, [r4, #4]
>   ldr  r3, .L3+16
>   str  r3, [r4, #8]
>   ldr  r3, .L3+20
>   str  r3, [r4, #12]
>   ldr  r3, .L3+16
>   str  r3, [r4, #16]
>   ldr  r3, .L3+20
>   str  r3, [r4, #24]
>   ldr  r3, .L3+24
>   str  r3, [r4, #28]
>
> Whereas epilogue poisons frame_shadow_base + { 0, 4, 8, 12, 16, 40, 44}:

I guess you mean *un*poison here.

>   add  r3, r4, #20
> .L1:
>   mov  r2, #0
>   str  r2, [r4]
>   add  r4, r4, #4
>   cmp  r4, r3
>   bcc  .L1

My understanding is that in the loop above, we are setting the memory
pointed to by frame_shadow_base + { 0, 4, 8, 12, 16} to zero.

And in the code below, we are preparing to set the memory pointed to by
frame_shadow_base + {24, 28} to zero.

>   add  r3, r4, #24   ; r3 gets invalid value here

Why is r3 invalid?  It's being set to #24, so that the strb r2, [r3]
below writes a zero byte to [r4,#24].

Or what am I missing?

>   mov  r2, #0
>   strb  r2, [r3]
>   add  r3, r3, #1
>   mov  r2, #0
>   strb  r2, [r3]
>   add  r3, r3, #1
>   mov  r2, #0
>   strb  r2, [r3]
>   add  r3, r3, #1
>   mov  r2, #0
>   strb  r2, [r3]
>   add  r3, r3, #1
>   mov  r2, #0
>   strb  r2, [r3]
>   add  r3, r3, #1
>   mov  r2, #0
>   strb  r2, [r3]
>   add  r3, r3, #1
>   mov  r2, #0
>   strb  r2, [r3]
>   add  r3, r3, #1
>   mov  r2, #0
>   strb  r2, [r3]
>
> This causes some shadow bytes to remain set after function returns. Those may
> trigger incorrect Asan errors later.

I am guessing that you have a short and self contained example of an
asan error that is caused by a wrong epilogue.  Would it be possible
that you file it so that I can understand better what is going on?

Thanks.

More information about the Gcc-bugs mailing list