<html>
<head>
<base href="https://llvm.org/bugs/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - sspstrong and sspreq use generate incorrect frame layout with alloca and VLAs"
href="https://llvm.org/bugs/show_bug.cgi?id=28663">28663</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>sspstrong and sspreq use generate incorrect frame layout with alloca and VLAs
</td>
</tr>
<tr>
<th>Product</th>
<td>libraries
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Common Code Generator Code
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>danielmicay@gmail.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=16793" name="attach_16793" title="[PATCH] stop short-circuiting the SSP code for sspstrong">attachment 16793</a> <a href="attachment.cgi?id=16793&action=edit" title="[PATCH] stop short-circuiting the SSP code for sspstrong">[details]</a></span>
[PATCH] stop short-circuiting the SSP code for sspstrong
The StackProtector::RequiresStackProtector method is supposed to add layout
information for alloca instructions that need to be protected by the canary.
This is supposed to protect normal local variables (including function
pointers, etc.) from linear overflows.
However, this method contains an early return for sspstrong and sspreq in the
code for handling calls to alloca and variable length arrays (not regular
arrays, with the IR Clang generates):
// SSP-Strong: Enable protectors for any call to alloca, regardless
// of size.
if (Strong)
return true;
The method has special handling for sspstrong/sspreq following this early
return, but it's not being used. It ends up returning early, resulting in the
function being protected with a canary but without marking the arrays it's
trying to protect (not only the alloca/VLA triggering the issue) so they get
treated as normal local variables.
I've attached a patch removing this early return.
Example of how the code output changes (at -O0):
#include <string.h>
#include <alloca.h>
int foo(char *bar) {
char *buf = alloca(20);
strcpy(buf, bar);
return strlen(buf);
}
--- old_x86.s 2016-07-22 08:44:37.534862251 -0400
+++ new_x86.s 2016-07-22 08:44:18.778486803 -0400
@@ -17,12 +17,12 @@
subq $48, %rsp
movq %fs:40, %rax
movq %rax, -8(%rbp)
- movq %rdi, -24(%rbp)
- leaq -44(%rbp), %rdi
- movq %rdi, -16(%rbp)
- movq -24(%rbp), %rsi
+ movq %rdi, -48(%rbp)
+ leaq -28(%rbp), %rdi
+ movq %rdi, -40(%rbp)
+ movq -48(%rbp), %rsi
callq strcpy
- movq -16(%rbp), %rdi
+ movq -40(%rbp), %rdi
callq strlen
movq %fs:40, %rcx
cmpq -8(%rbp), %rcx</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>