<html>

    <head>

      <base href="https://llvm.org/bugs/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW --- - -fstack-protector places the canary in the wrong place on arm64 with va_args,"

   href="https://llvm.org/bugs/show_bug.cgi?id=25610">25610</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>-fstack-protector places the canary in the wrong place on arm64 with va_args,

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>libraries

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>FreeBSD

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Backend: AArch64

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>andrew@fubar.geek.nz

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr></table>

      <p>

        <div>

        <pre>I found the stack may have an incorrect layout on AArch64 when using ssp. It

can place the canary value at a lower address than any arrays.

It appears to need the user of va_args, however I'm unsure if this is just to

adjust the stack size, or a requirement for the changed layout to be shown.

I've not tracked down why this is not crashing, however it seems to be affected

by optimisation level as at -O0 I get the expected crash, however at -O1 it

exits without detecting the buffer overflow.

When built with USE_VARARG defined and with optimisations the attached example

places the buf array at the top of the stack so there is no space above it. It

then places the canary below the array so if the bar function writes past the

end of buf it fails to detect it.

When building with USE_VARARG undefined, or with -O0 it crashes as expected.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>