diff options
| author | Richard Sandiford <richard.sandiford@arm.com> | 2020-09-24 10:06:11 +0100 |
|---|---|---|
| committer | Richard Sandiford <richard.sandiford@arm.com> | 2020-09-24 10:06:11 +0100 |
| commit | e94797250b403d66cb3624a594e41faf0dd76617 (patch) | |
| tree | b194646ca7dd5acb0bc0333d86814438f44e5a4b /gcc | |
| parent | 10843f8303509fcba880c6c05c08e4b4ccd24f36 (diff) | |
| download | gcc-e94797250b403d66cb3624a594e41faf0dd76617.zip gcc-e94797250b403d66cb3624a594e41faf0dd76617.tar.gz gcc-e94797250b403d66cb3624a594e41faf0dd76617.tar.bz2 | |
arm: Fix canary address calculation for non-PIC
For non-PIC, the stack protector patterns did:
rtx mem = XEXP (force_const_mem (SImode, operands[1]), 0);
emit_move_insn (operands[2], mem);
Here, operands[1] is the address of the canary (&__stack_chk_guard)
and operands[2] is the register that we want to move that address into.
However, the code above instead sets operands[2] to the address of a
constant pool entry that contains &__stack_chk_guard, rather than to
&__stack_chk_guard itself. The sequence therefore does one less
pointer indirection than it should.
The net effect was to use &__stack_chk_guard for stack-smash detection,
instead of using __stack_chk_guard itself.
gcc/
* config/arm/arm.md (*stack_protect_combined_set_insn): For non-PIC,
load the address of the canary rather than the address of the
constant pool entry that points to it.
(*stack_protect_combined_test_insn): Likewise.
gcc/testsuite/
* gcc.target/arm/stack-protector-3.c: New test.
* gcc.target/arm/stack-protector-4.c: Likewise.
Diffstat (limited to 'gcc')
| -rw-r--r-- | gcc/config/arm/arm.md | 4 | ||||
| -rw-r--r-- | gcc/testsuite/gcc.target/arm/stack-protector-3.c | 38 | ||||
| -rw-r--r-- | gcc/testsuite/gcc.target/arm/stack-protector-4.c | 6 |
3 files changed, 46 insertions, 2 deletions
diff --git a/gcc/config/arm/arm.md b/gcc/config/arm/arm.md index bffdb0b..c4fa116 100644 --- a/gcc/config/arm/arm.md +++ b/gcc/config/arm/arm.md @@ -9212,7 +9212,7 @@ operands[2] = operands[1]; else { - rtx mem = XEXP (force_const_mem (SImode, operands[1]), 0); + rtx mem = force_const_mem (SImode, operands[1]); emit_move_insn (operands[2], mem); } } @@ -9295,7 +9295,7 @@ operands[3] = operands[1]; else { - rtx mem = XEXP (force_const_mem (SImode, operands[1]), 0); + rtx mem = force_const_mem (SImode, operands[1]); emit_move_insn (operands[3], mem); } } diff --git a/gcc/testsuite/gcc.target/arm/stack-protector-3.c b/gcc/testsuite/gcc.target/arm/stack-protector-3.c new file mode 100644 index 0000000..b8f77fa --- /dev/null +++ b/gcc/testsuite/gcc.target/arm/stack-protector-3.c @@ -0,0 +1,38 @@ +/* { dg-do run } */ +/* { dg-require-effective-target fstack_protector } */ +/* { dg-options "-fstack-protector-all -O2" } */ + +extern volatile long *stack_chk_guard_ptr; + +void __attribute__ ((noipa)) +f (void) +{ + volatile int x; + /* Munging the contents of __stack_chk_guard should trigger a + stack-smashing failure for this function. */ + *stack_chk_guard_ptr += 1; +} + +asm ( +" .data\n" +" .align 3\n" +" .globl stack_chk_guard_ptr\n" +"stack_chk_guard_ptr:\n" +" .word __stack_chk_guard\n" +" .weak __stack_chk_guard\n" +"__stack_chk_guard:\n" +" .word 0xdead4321\n" +" .text\n" +" .type __stack_chk_fail, %function\n" +"__stack_chk_fail:\n" +" movs r0, #0\n" +" b exit\n" +" .size __stack_chk_fail, .-__stack_chk_fail" +); + +int +main (void) +{ + f (); + __builtin_abort (); +} diff --git a/gcc/testsuite/gcc.target/arm/stack-protector-4.c b/gcc/testsuite/gcc.target/arm/stack-protector-4.c new file mode 100644 index 0000000..6334dd0 --- /dev/null +++ b/gcc/testsuite/gcc.target/arm/stack-protector-4.c @@ -0,0 +1,6 @@ +/* { dg-do run } */ +/* { dg-require-effective-target fstack_protector } */ +/* { dg-require-effective-target fpic } */ +/* { dg-options "-fstack-protector-all -O2 -fpic" } */ + +#include "stack-protector-3.c" |