[llvm-bugs] [Bug 25610] New: -fstack-protector places the canary in the wrong place on arm64 with va_args,

[via llvm-bugs]

https://llvm.org/bugs/show_bug.cgi?id=25610

            Bug ID: 25610
           Summary: -fstack-protector places the canary in the wrong place
                    on arm64 with va_args,
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: FreeBSD
            Status: NEW
          Severity: normal
          Priority: P
         Component: Backend: AArch64
          Assignee: unassignedbugs at nondot.org
          Reporter: andrew at fubar.geek.nz
                CC: llvm-bugs at lists.llvm.org
    Classification: Unclassified

I found the stack may have an incorrect layout on AArch64 when using ssp. It
can place the canary value at a lower address than any arrays.

It appears to need the user of va_args, however I'm unsure if this is just to
adjust the stack size, or a requirement for the changed layout to be shown.

I've not tracked down why this is not crashing, however it seems to be affected
by optimisation level as at -O0 I get the expected crash, however at -O1 it
exits without detecting the buffer overflow.

When built with USE_VARARG defined and with optimisations the attached example
places the buf array at the top of the stack so there is no space above it. It
then places the canary below the array so if the bar function writes past the
end of buf it fails to detect it.

When building with USE_VARARG undefined, or with -O0 it crashes as expected.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20151123/071f37c3/attachment.html>