[Bug target/96191] aarch64 stack_protect_test canary leak
cvs-commit at gcc dot gnu.org
gcc-bugzilla@gcc.gnu.org
Fri Aug 7 11:18:01 GMT 2020
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96191
--- Comment #8 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-9 branch has been updated by Richard Sandiford
<rsandifo@gcc.gnu.org>:
https://gcc.gnu.org/g:5380912a17ea09a8996720fb62b1a70c16c8f9f2
commit r9-8794-g5380912a17ea09a8996720fb62b1a70c16c8f9f2
Author: Richard Sandiford <richard.sandiford@arm.com>
Date: Fri Aug 7 12:17:37 2020 +0100
aarch64: Clear canary value after stack_protect_test [PR96191]
The stack_protect_test patterns were leaving the canary value in the
temporary register, meaning that it was often still in registers on
return from the function. An attacker might therefore have been
able to use it to defeat stack-smash protection for a later function.
gcc/
PR target/96191
* config/aarch64/aarch64.md (stack_protect_test_<mode>): Set the
CC register directly, instead of a GPR. Replace the original GPR
destination with an extra scratch register. Zero out operand 3
after use.
(stack_protect_test): Update accordingly.
gcc/testsuite/
PR target/96191
* gcc.target/aarch64/stack-protector-1.c: New test.
* gcc.target/aarch64/stack-protector-2.c: Likewise.
(cherry picked from commit fe1a26429038d7cd17abc53f96a6f3e2639b605f)
More information about the Gcc-bugs
mailing list