[llvm-bugs] [Bug 43308] New: StackProtector - stack violation not caught

via llvm-bugs llvm-bugs at lists.llvm.org
Fri Sep 13 07:59:10 PDT 2019 

https://bugs.llvm.org/show_bug.cgi?id=43308

            Bug ID: 43308
           Summary: StackProtector - stack violation not caught
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: Windows NT
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: Common Code Generator Code
          Assignee: unassignedbugs at nondot.org
          Reporter: rob.lougher at gmail.com
                CC: llvm-bugs at lists.llvm.org

The following simple program corrupts the stack:

================= ssp.c ==================
#include <string.h>

__attribute__((__noinline__))
void bar(int *p) {
  memset(p, 0, 100);
}

int main() {
  int i;
  bar(&i);
}
==========================================

If this is compiled at -O0 with strong protection the violation is caught:

$ clang ssp.c -o ssp -O0 -fstack-protector-strong
$ ./ssp
*** stack smashing detected ***: <unknown> terminated
Aborted (core dumped)

However, if it is compiled at -O1 or above, no violation is detected and the
program crashes with a SIGSEGV (return to addresss 0):

$ clang ssp.c -o ssp -O1 -fstack-protector-strong
$ ./ssp
Segmentation fault (core dumped)

The regression was introduced by commit r363169, which changed the stack
protector to use PointerMayBeCaptured.

This routine is inappropriate for SSP use, as protection is needed in cases
where a pointer is not captured.

If we look at the IR for the above program, we see that the pointer parameter
to bar() is marked as "nocapture" (i.e. it does not outlive the call). This
means that although it is used to corrupt the stack, after r363169 main() is no
longer considered to need a stack check.

define dso_local void @bar(i32* nocapture %p) local_unnamed_addr #0 {
entry:
  %0 = bitcast i32* %p to i8*
  tail call void @llvm.memset.p0i8.i64(i8* align 4 dereferenceable(100) %0, i8
0, i64 100, i1 false)
  ret void
}

define dso_local i32 @main() local_unnamed_addr #2 {
entry:
  %i = alloca i32, align 4
  %0 = bitcast i32* %i to i8*
  call void @llvm.lifetime.start.p0i8(i64 4, i8* nonnull %0) #3
  call void @bar(i32* nonnull %i)
  call void @llvm.lifetime.end.p0i8(i64 4, i8* nonnull %0) #3
  ret i32 0
}

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20190913/8656e053/attachment.html>

More information about the llvm-bugs mailing list