[LLVMbugs] [Bug 24339] New: SafeStack: should not rely on nocapture function attribute

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Sun Aug 2 20:26:27 PDT 2015 

https://llvm.org/bugs/show_bug.cgi?id=24339

            Bug ID: 24339
           Summary: SafeStack: should not rely on nocapture function
                    attribute
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Miscellaneous Instrumentation passes
          Assignee: unassignedbugs at nondot.org
          Reporter: peter at pcc.me.uk
                CC: llvmbugs at cs.uiuc.edu
    Classification: Unclassified

Test case by Zoxc on IRC. The a local stays on the safe stack while we would
expect it to be moved to the unsafe stack because of the unsafe accesses in
"test".

$ cat foo.c
#include <stdio.h>

__attribute__((noinline))
void test(char *a) {
    *a = 3;
    a[0x2000] = 5; // I'm bad
}

__attribute__((noinline))
int main() {
    char a[0x1000];
    test(a);
    return 0;
}
$ ~/src/llvm-build-rel/bin/clang -fsanitize=safe-stack -S  -o - foo.c -O2
    .text
    .file    "gistfile1.c"
    .globl    test
    .align    16, 0x90
    .type    test, at function
test:                                   # @test
    .cfi_startproc
# BB#0:
    movb    $3, (%rdi)
    movb    $5, 8192(%rdi)
    retq
.Lfunc_end0:
    .size    test, .Lfunc_end0-test
    .cfi_endproc

    .globl    main
    .align    16, 0x90
    .type    main, at function
main:                                   # @main
    .cfi_startproc
# BB#0:
    subq    $4104, %rsp             # imm = 0x1008
.Ltmp0:
    .cfi_def_cfa_offset 4112
    leaq    (%rsp), %rdi
    callq    test
    xorl    %eax, %eax
    addq    $4104, %rsp             # imm = 0x1008
    retq
.Lfunc_end1:
    .size    main, .Lfunc_end1-main
    .cfi_endproc


    .ident    "clang version 3.8.0 (trunk 242286) (llvm/trunk 242423)"
    .section    ".note.GNU-stack","", at progbits

The underlying problem here is that we are marking the a parameter with the
nocapture attribute, and the safe stack pass assumes that locals passed as
nocapture parameters can be moved to the unsafe stack, as the callee cannot
leak the safe stack address. However, this attribute does not also imply that
the parameter cannot be accessed out of bounds, so we cannot rely only on the
presence of nocapture to keep locals on the unsafe stack.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20150803/7f9e14a5/attachment.html>

More information about the llvm-bugs mailing list