[PATCH] D44077: Clear the stack protector after checking it
Sebastian Neubauer via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Sun Mar 4 07:11:32 PST 2018
Flakebi created this revision.
Flakebi added a reviewer: lattner.
Herald added a subscriber: llvm-commits.
SSPs cannot be leaked from the stack through uninitialized memory anymore, because they are removed after they are used.
This makes it in some cases harder for attackers to circumvent ssps and it has no (measurable) performance costs.
I developed this patch as part of my bachelor thesis. Therefore I measured the performance impact in a microbenchmark, which called a function with a ssp an a loop
(the benchmark executable did nothing else, the function wrote a single value into a stack local array so the ssp was generated).
In this benchmark, no change in performance was visible, it took as long as before.
Repository:
rL LLVM
https://reviews.llvm.org/D44077
Files:
lib/CodeGen/SafeStack.cpp
lib/CodeGen/StackProtector.cpp
Index: lib/CodeGen/StackProtector.cpp
===================================================================
--- lib/CodeGen/StackProtector.cpp
+++ lib/CodeGen/StackProtector.cpp
@@ -445,6 +445,7 @@
// %1 = <stack guard>
// %2 = load StackGuardSlot
// %3 = cmp i1 %1, %2
+ // store 0, StackGuardSlot
// br i1 %3, label %SP_return, label %CallStackCheckFailBlk
//
// SP_return:
@@ -480,6 +481,9 @@
Value *Guard = getStackGuard(TLI, M, B);
LoadInst *LI2 = B.CreateLoad(AI, true);
Value *Cmp = B.CreateICmpEQ(Guard, LI2);
+ PointerType *GuardPtrType = dyn_cast<PointerType>(Guard->getType());
+ // Zero the protector after it was checked to prohibit leaks.
+ B.CreateStore(ConstantPointerNull::get(GuardPtrType), AI, true);
auto SuccessProb =
BranchProbabilityInfo::getBranchProbStackProtector(true);
auto FailureProb =
Index: lib/CodeGen/SafeStack.cpp
===================================================================
--- lib/CodeGen/SafeStack.cpp
+++ lib/CodeGen/SafeStack.cpp
@@ -459,6 +459,9 @@
AllocaInst *StackGuardSlot, Value *StackGuard) {
Value *V = IRB.CreateLoad(StackGuardSlot);
Value *Cmp = IRB.CreateICmpNE(StackGuard, V);
+ PointerType *GuardPtrType = dyn_cast<PointerType>(StackGuard->getType());
+ // Zero the protector after it was checked to prohibit leaks.
+ IRB.CreateStore(ConstantPointerNull::get(GuardPtrType), StackGuardSlot, true);
auto SuccessProb = BranchProbabilityInfo::getBranchProbStackProtector(true);
auto FailureProb = BranchProbabilityInfo::getBranchProbStackProtector(false);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D44077.136937.patch
Type: text/x-patch
Size: 1689 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20180304/ff83a154/attachment.bin>
More information about the llvm-commits
mailing list