[valgrind] [Bug 479997] Segmentation fault on 32bit arm checking programs built with -fstack-clash-protection or -fstack-check

Fri, 26 Jan 2024 06:04:02 -0800 

https://bugs.kde.org/show_bug.cgi?id=479997

Adhemerval Zanella <zatr...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |zatr...@gmail.com

--- Comment #1 from Adhemerval Zanella <zatr...@gmail.com> ---
This is issue is similar to https://bugs.kde.org/show_bug.cgi?id=479996 , where
gcc does not really support arm32 -fstack-clash-support. Its own testsuite
defines:

gcc/testsuite/lib/target-supports.exp
---
12587 # Return 1 if the target has support for stack probing designed
12588 # to avoid stack-clash style attacks.
12589 #
12590 # This is used to restrict the stack-clash mitigation tests to
12591 # just those targets that have been explicitly supported.
12592 #
12593 # In addition to the prologue work on those targets, each target's
12594 # properties should be described in the functions below so that
12595 # tests do not become a mess of unreadable target conditions.
12596 #
12597 proc check_effective_target_supports_stack_clash_protection { } {
12598
12599     if { [istarget x86_64-*-*] || [istarget i?86-*-*]
12600           || [istarget powerpc*-*-*] || [istarget rs6000*-*-*]
12601           || [istarget aarch64*-**] || [istarget s390*-*-*]
12602           || [istarget loongarch64*-**] } {
12603         return 1
12604     }
12605   return 0
12606 }
----

Although the option does not throw any frontend error, gcc uses the
-fstack-check support by just changing the probing size from 8192 to 4096.
Using the provided example:

With -fstack-check:
---
[...]
main:
        push    {r7, lr}
        mov     ip, #8192
        sub     ip, sp, ip
        str     r0, [ip, #4088]
        add     r7, sp, #0
        bl      a_function
        movs    r3, #0
        mov     r0, r3
        pop     {r7, pc}
---

And with '-fstack-clash-protection':
---
main:
        push    {r7, lr}
        mov     ip, #4096
        sub     ip, sp, ip
        str     r0, [ip, #4088]
        add     r7, sp, #0
        bl      a_function
        movs    r3, #0
        mov     r0, r3
        pop     {r7, pc}
---

So the stack pointer is not really updated while doing the probing, which
generates an invalid memory access by valgrind. So one option to fix would be
to either adjust arm32 code generation to always update and rollback SP, as
x86_64; or proper implement -fstack-clash-protection.

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to