diff options
| author | Richard Earnshaw <rearnsha@arm.com> | 2019-08-27 10:05:51 +0000 |
|---|---|---|
| committer | Richard Earnshaw <rearnsha@gcc.gnu.org> | 2019-08-27 10:05:51 +0000 |
| commit | a7e73b4158f528600ef97aca29201ddc92b3439f (patch) | |
| tree | 039a54b8909cb0f818dbcbf9cedd9882cb5d5e95 /gcc/ubsan.h | |
| parent | 72bb85f8d180725a84b17fb9e6a7a66d4d649af3 (diff) | |
| download | gcc-a7e73b4158f528600ef97aca29201ddc92b3439f.zip gcc-a7e73b4158f528600ef97aca29201ddc92b3439f.tar.gz gcc-a7e73b4158f528600ef97aca29201ddc92b3439f.tar.bz2 | |
[arm/aarch64] Add comments warning that stack-protector initializer insns shouldn't be split
Following the publication of https://kb.cert.org/vuls/id/129209/ I've
been having a look at GCC's implementation for Arm and AArch64. I
haven't identified any issues yet, but it's a bit early to be
completely sure.
One observation, however, is that the instruction sequence that
initializes the stack canary might be vulnerable to producing a
reusable value if it were ever split early. I don't think we ever
would, because the memory locations involved with the stack protector
are all marked volatile to ensure that the values are only loaded at
the point in time when the test is intended to happen, and that also
has the effect of making it unlikely that the value would be reused
without reloading. Nevertheless, defence in depth is probably
warranted here.
So this patch just adds some comments warning that the patterns should
not be split.
* config/arm/arm.md (stack_protect_set_insn): Add security-related
comment.
* config/aarch64/aarch64.md (stack_protect_set_<mode>): Likewise.
From-SVN: r274946
Diffstat (limited to 'gcc/ubsan.h')
0 files changed, 0 insertions, 0 deletions