[Bug target/97928] New: -fstack-clash-protection probe miss

Fri, 20 Nov 2020 04:47:43 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97928

            Bug ID: 97928
           Summary: -fstack-clash-protection probe miss
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: target
          Assignee: unassigned at gcc dot gnu.org
          Reporter: sguelton at redhat dot com
  Target Milestone: ---

The compilation of the following code

```c
#include <alloca.h>

int square(int num) {
    char foo[6000];
    char* bar = alloca(num * num);
    return foo[num] + bar[num];
}
```

with gcc -fstack-clash-protection trunk yields the following assembly (full
assembly here https://godbolt.org/z/95636K)

```asm
square:
        push    rbp
        mov     rbp, rsp
        sub     rsp, 4096
        or      QWORD PTR [rsp], 0
        sub     rsp, 1936
#...
.L2:
        cmp     rsp, rdx
        je      .L3
        sub     rsp, 4096
        or      QWORD PTR [rsp+4088], 0
        jmp     .L2
#...
```

there's a potential sequence here that jumps over a ``PAGE_SIZE`` guard:

```asm
sub     rsp, 1936
...
sub     rsp, 4096
<< signal here >>
or      QWORD PTR [rsp+4088], 0
```

If a signal is received at << signal here >>, then the stack may points behind
the page guard.

It seems to me the following achieve the same protection level.

```asm
.L2:
        cmp     rsp, rdx
        je      .L3
        or      QWORD PTR [rsp], 0
        sub     rsp, 4096
        jmp     .L2
```

Reply via email to