<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Potential leak of stack canary"

   href="https://bugs.llvm.org/show_bug.cgi?id=50467">50467</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Potential leak of stack canary

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>new-bugs

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>new bugs

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>thibaut.sautereau@ssi.gouv.fr

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>htmldeveloper@gmail.com, llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>I was reading an email [1] about a leak of the canary value in the GCC

implementation of -fstack-protector on AArch64 and RISC-V, both of which were

later fixed [2]. Then I decided to check Clang's own recent implementation for

AArch64 [3] and it seems the same issue exists: see this godbolt snippet [4],

which shows that x9 still contains the canary value right before function

return, whereas GCC, starting from 10.3, would add a `mov x9, 0` to clear it.

Also, if I'm not mistaken, the x86_64 version can similarly leak the canary

value.

[1] <a href="https://gcc.gnu.org/pipermail/gcc-patches/2020-July/549910.html">https://gcc.gnu.org/pipermail/gcc-patches/2020-July/549910.html</a>

[2]

<a href="https://github.com/gcc-mirror/gcc/commit/fe1a26429038d7cd17abc53f96a6f3e2639b605f">https://github.com/gcc-mirror/gcc/commit/fe1a26429038d7cd17abc53f96a6f3e2639b605f</a>

[3]

<a href="https://github.com/llvm/llvm-project/commit/0f417789192e74f9d2fad0f6aee4efc394257176">https://github.com/llvm/llvm-project/commit/0f417789192e74f9d2fad0f6aee4efc394257176</a>

[4] <a href="https://godbolt.org/z/aq5v8o3Mo">https://godbolt.org/z/aq5v8o3Mo</a></pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>