[PATCH] D44077: Clear the stack protector after checking it

Sebastian Neubauer via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Sun Mar 4 07:11:32 PST 2018 

Flakebi created this revision.
Flakebi added a reviewer: lattner.
Herald added a subscriber: llvm-commits.

SSPs cannot be leaked from the stack through uninitialized memory anymore, because they are removed after they are used.
This makes it in some cases harder for attackers to circumvent ssps and it has no (measurable) performance costs.

I developed this patch as part of my bachelor thesis. Therefore I measured the performance impact in a microbenchmark, which called a function with a ssp an a loop
(the benchmark executable did nothing else, the function wrote a single value into a stack local array so the ssp was generated).
In this benchmark, no change in performance was visible, it took as long as before.


Repository:
  rL LLVM

https://reviews.llvm.org/D44077

Files:
  lib/CodeGen/SafeStack.cpp
  lib/CodeGen/StackProtector.cpp


Index: lib/CodeGen/StackProtector.cpp
===================================================================
--- lib/CodeGen/StackProtector.cpp
+++ lib/CodeGen/StackProtector.cpp
@@ -445,6 +445,7 @@
       //     %1 = <stack guard>
       //     %2 = load StackGuardSlot
       //     %3 = cmp i1 %1, %2
+      //     store 0, StackGuardSlot
       //     br i1 %3, label %SP_return, label %CallStackCheckFailBlk
       //
       //   SP_return:
@@ -480,6 +481,9 @@
       Value *Guard = getStackGuard(TLI, M, B);
       LoadInst *LI2 = B.CreateLoad(AI, true);
       Value *Cmp = B.CreateICmpEQ(Guard, LI2);
+      PointerType *GuardPtrType = dyn_cast<PointerType>(Guard->getType());
+      // Zero the protector after it was checked to prohibit leaks.
+      B.CreateStore(ConstantPointerNull::get(GuardPtrType), AI, true);
       auto SuccessProb =
           BranchProbabilityInfo::getBranchProbStackProtector(true);
       auto FailureProb =
Index: lib/CodeGen/SafeStack.cpp
===================================================================
--- lib/CodeGen/SafeStack.cpp
+++ lib/CodeGen/SafeStack.cpp
@@ -459,6 +459,9 @@
                                 AllocaInst *StackGuardSlot, Value *StackGuard) {
   Value *V = IRB.CreateLoad(StackGuardSlot);
   Value *Cmp = IRB.CreateICmpNE(StackGuard, V);
+  PointerType *GuardPtrType = dyn_cast<PointerType>(StackGuard->getType());
+  // Zero the protector after it was checked to prohibit leaks.
+  IRB.CreateStore(ConstantPointerNull::get(GuardPtrType), StackGuardSlot, true);
 
   auto SuccessProb = BranchProbabilityInfo::getBranchProbStackProtector(true);
   auto FailureProb = BranchProbabilityInfo::getBranchProbStackProtector(false);


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D44077.136937.patch
Type: text/x-patch
Size: 1689 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20180304/ff83a154/attachment.bin>

More information about the llvm-commits mailing list