<html>

    <head>

      <base href="https://llvm.org/bugs/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW " title="NEW --- - SafeStack: should not rely on nocapture function attribute" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__llvm.org_bugs_show-5Fbug.cgi-3Fid-3D24339&d=AwMBaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=pF93YEPyB-J_PERP4DUZOJDzFVX5ZQ57vQk33wu0vio&m=4ovHhtofMmlkLw3iS67ryMHPAUru-ifYOSOnIGDzbes&s=8E4DddkfDSXOCz6Hp46UyThaQW5hZfvkEHNsaiXpAec&e=">24339</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>SafeStack: should not rely on nocapture function attribute

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>libraries

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Miscellaneous Instrumentation passes

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>peter@pcc.me.uk

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvmbugs@cs.uiuc.edu

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Test case by Zoxc on IRC. The a local stays on the safe stack while we would

expect it to be moved to the unsafe stack because of the unsafe accesses in

"test".

$ cat foo.c

#include <stdio.h>

__attribute__((noinline))

void test(char *a) {

    *a = 3;

    a[0x2000] = 5; // I'm bad

}

__attribute__((noinline))

int main() {

    char a[0x1000];

    test(a);

    return 0;

}

$ ~/src/llvm-build-rel/bin/clang -fsanitize=safe-stack -S  -o - foo.c -O2

    .text

    .file    "gistfile1.c"

    .globl    test

    .align    16, 0x90

    .type    test,@function

test:                                   # @test

    .cfi_startproc

# BB#0:

    movb    $3, (%rdi)

    movb    $5, 8192(%rdi)

    retq

.Lfunc_end0:

    .size    test, .Lfunc_end0-test

    .cfi_endproc

    .globl    main

    .align    16, 0x90

    .type    main,@function

main:                                   # @main

    .cfi_startproc

# BB#0:

    subq    $4104, %rsp             # imm = 0x1008

.Ltmp0:

    .cfi_def_cfa_offset 4112

    leaq    (%rsp), %rdi

    callq    test

    xorl    %eax, %eax

    addq    $4104, %rsp             # imm = 0x1008

    retq

.Lfunc_end1:

    .size    main, .Lfunc_end1-main

    .cfi_endproc

    .ident    "clang version 3.8.0 (trunk 242286) (llvm/trunk 242423)"

    .section    ".note.GNU-stack","",@progbits

The underlying problem here is that we are marking the a parameter with the

nocapture attribute, and the safe stack pass assumes that locals passed as

nocapture parameters can be moved to the unsafe stack, as the callee cannot

leak the safe stack address. However, this attribute does not also imply that

the parameter cannot be accessed out of bounds, so we cannot rely only on the

presence of nocapture to keep locals on the unsafe stack.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>