diff options
| author | Richard Earnshaw <rearnsha@arm.com> | 2019-08-27 10:05:51 +0000 |
|---|---|---|
| committer | Richard Earnshaw <rearnsha@gcc.gnu.org> | 2019-08-27 10:05:51 +0000 |
| commit | a7e73b4158f528600ef97aca29201ddc92b3439f (patch) | |
| tree | 039a54b8909cb0f818dbcbf9cedd9882cb5d5e95 | |
| parent | 72bb85f8d180725a84b17fb9e6a7a66d4d649af3 (diff) | |
| download | gcc-a7e73b4158f528600ef97aca29201ddc92b3439f.zip gcc-a7e73b4158f528600ef97aca29201ddc92b3439f.tar.gz gcc-a7e73b4158f528600ef97aca29201ddc92b3439f.tar.bz2 | |
[arm/aarch64] Add comments warning that stack-protector initializer insns shouldn't be split
Following the publication of https://kb.cert.org/vuls/id/129209/ I've
been having a look at GCC's implementation for Arm and AArch64. I
haven't identified any issues yet, but it's a bit early to be
completely sure.
One observation, however, is that the instruction sequence that
initializes the stack canary might be vulnerable to producing a
reusable value if it were ever split early. I don't think we ever
would, because the memory locations involved with the stack protector
are all marked volatile to ensure that the values are only loaded at
the point in time when the test is intended to happen, and that also
has the effect of making it unlikely that the value would be reused
without reloading. Nevertheless, defence in depth is probably
warranted here.
So this patch just adds some comments warning that the patterns should
not be split.
* config/arm/arm.md (stack_protect_set_insn): Add security-related
comment.
* config/aarch64/aarch64.md (stack_protect_set_<mode>): Likewise.
From-SVN: r274946
| -rw-r--r-- | gcc/ChangeLog | 6 | ||||
| -rw-r--r-- | gcc/config/aarch64/aarch64.md | 4 | ||||
| -rw-r--r-- | gcc/config/arm/arm.md | 6 |
3 files changed, 13 insertions, 3 deletions
diff --git a/gcc/ChangeLog b/gcc/ChangeLog index 856ce68..b7c0fbe 100644 --- a/gcc/ChangeLog +++ b/gcc/ChangeLog @@ -1,3 +1,9 @@ +2019-08-27 Richard Earnshaw <rearnsha@arm.com> + + * config/arm/arm.md (stack_protect_set_insn): Add security-related + comment. + * config/aarch64/aarch64.md (stack_protect_set_<mode>): Likewise. + 2019-08-27 Martin Liska <mliska@suse.cz> * cgraph.c (cgraph_node::remove): Remove dead assignment before diff --git a/gcc/config/aarch64/aarch64.md b/gcc/config/aarch64/aarch64.md index 9a07f63..88e04df 100644 --- a/gcc/config/aarch64/aarch64.md +++ b/gcc/config/aarch64/aarch64.md @@ -7016,13 +7016,15 @@ } [(set_attr "type" "mrs")]) +;; DO NOT SPLIT THIS PATTERN. It is important for security reasons that the +;; canary value does not live beyond the life of this sequence. (define_insn "stack_protect_set_<mode>" [(set (match_operand:PTR 0 "memory_operand" "=m") (unspec:PTR [(match_operand:PTR 1 "memory_operand" "m")] UNSPEC_SP_SET)) (set (match_scratch:PTR 2 "=&r") (const_int 0))] "" - "ldr\\t%<w>2, %1\;str\\t%<w>2, %0\;mov\t%<w>2,0" + "ldr\\t%<w>2, %1\;str\\t%<w>2, %0\;mov\t%<w>2, 0" [(set_attr "length" "12") (set_attr "type" "multiple")]) diff --git a/gcc/config/arm/arm.md b/gcc/config/arm/arm.md index ed49c4b..f138d31 100644 --- a/gcc/config/arm/arm.md +++ b/gcc/config/arm/arm.md @@ -8208,6 +8208,8 @@ [(set_attr "arch" "t1,32")] ) +;; DO NOT SPLIT THIS INSN. It's important for security reasons that the +;; canary value does not live beyond the life of this sequence. (define_insn "*stack_protect_set_insn" [(set (match_operand:SI 0 "memory_operand" "=m,m") (unspec:SI [(mem:SI (match_operand:SI 1 "register_operand" "+&l,&r"))] @@ -8215,8 +8217,8 @@ (clobber (match_dup 1))] "" "@ - ldr\\t%1, [%1]\;str\\t%1, %0\;movs\t%1,#0 - ldr\\t%1, [%1]\;str\\t%1, %0\;mov\t%1,#0" + ldr\\t%1, [%1]\;str\\t%1, %0\;movs\t%1, #0 + ldr\\t%1, [%1]\;str\\t%1, %0\;mov\t%1, #0" [(set_attr "length" "8,12") (set_attr "conds" "clob,nocond") (set_attr "type" "multiple") |