This series of patches fixes deficiencies in GCC's -fstack-protector
implementation for AArch64 when using dynamically allocated stack space.
This is CVE-2023-4039. See:
https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64
https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf
for more details.
The fix is to put the saved registers above the locals area when
-fstack-protector is used.
The series also fixes a stack-clash problem that I found while working
on the CVE. In unpatched sources, the stack-clash problem would only
trigger for unrealistic numbers of arguments (8K 64-bit arguments, or an
equivalent). But it would be a more significant issue with the new
-fstack-protector frame layout. It's therefore important that both
problems are fixed together.
Some reorganisation of the code seemed necessary to fix the problems in a
cleanish way. The series is therefore quite long, but only a handful of
patches should have any effect on code generation.
See the individual patches for a detailed description.
Tested on aarch64-linux-gnu. Pushed to trunk and to all active branches.
I've also pushed backports to GCC 7+ to vendors/ARM/heads/CVE-2023-4039.
Richard Sandiford (19):
aarch64: Use local frame vars in shrink-wrapping code
aarch64: Avoid a use of callee_offset
aarch64: Explicitly handle frames with no saved registers
aarch64: Add bytes_below_saved_regs to frame info
aarch64: Add bytes_below_hard_fp to frame info
aarch64: Tweak aarch64_save/restore_callee_saves
aarch64: Only calculate chain_offset if there is a chain
aarch64: Rename locals_offset to bytes_above_locals
aarch64: Rename hard_fp_offset to bytes_above_hard_fp
aarch64: Tweak frame_size comment
aarch64: Measure reg_offset from the bottom of the frame
aarch64: Simplify top of frame allocation
aarch64: Minor initial adjustment tweak
aarch64: Tweak stack clash boundary condition
aarch64: Put LR save probe in first 16 bytes
aarch64: Simplify probe of final frame allocation
aarch64: Explicitly record probe registers in frame info
aarch64: Remove below_hard_fp_saved_regs_size
aarch64: Make stack smash canary protect saved registers
gcc/config/aarch64/aarch64.cc | 518 ++
gcc/config/aarch64/aarch64.h | 44 +-
.../aarch64/stack-check-prologue-17.c | 55 ++
.../aarch64/stack-check-prologue-18.c | 100
.../aarch64/stack-check-prologue-19.c | 100
.../aarch64/stack-check-prologue-20.c | 3 +
.../gcc.target/aarch64/stack-protector-8.c| 95
.../gcc.target/aarch64/stack-protector-9.c| 33 ++
.../aarch64/sve/pcs/stack_clash_3.c | 6 +-
9 files changed, 699 insertions(+), 255 deletions(-)
create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-20.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-protector-8.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-protector-9.c
--
2.25.1