| commit | 3e4afea3b192c205c9a9da99f4cac65c68087eaf | |
| author | Richard Sandiford <richard.sandiford@arm.com> | |
| Tue, 12 Sep 2023 15:05:13 +0000 (12 16:05 +0100) | ||
| committer | Richard Sandiford <richard.sandiford@arm.com> | |
| Tue, 12 Sep 2023 15:05:13 +0000 (12 16:05 +0100) | ||
| tree | ee9a7ed488a1d943d2a791f8b65eff8c0d9af26b | treesnapshot (tar.gz zip) |
| parent | 2abfc867d3ba025ac2146bb21b92a93e6325dec1 | commitdiff |
aarch64: Make stack smash canary protect saved registers
AArch64 normally puts the saved registers near the bottom of the frame,
immediately above any dynamic allocations. But this means that a
stack-smash attack on those dynamic allocations could overwrite the
saved registers without needing to reach as far as the stack smash
canary.
The same thing could also happen for variable-sized arguments that are
passed by value, since those are allocated before a call and popped on
return.
This patch avoids that by putting the locals (and thus the canary) below
the saved registers when stack smash protection is active.
The patch fixes CVE-2023-4039.
gcc/
* config/aarch64/aarch64.cc (aarch64_save_regs_above_locals_p):
New function.
(aarch64_layout_frame): Use it to decide whether locals should
go above or below the saved registers.
(aarch64_expand_prologue): Update stack layout comment.
Emit a stack tie after the final adjustment.
gcc/testsuite/
* gcc.target/aarch64/stack-protector-8.c: New test.
* gcc.target/aarch64/stack-protector-9.c: Likewise.
AArch64 normally puts the saved registers near the bottom of the frame,
immediately above any dynamic allocations. But this means that a
stack-smash attack on those dynamic allocations could overwrite the
saved registers without needing to reach as far as the stack smash
canary.
The same thing could also happen for variable-sized arguments that are
passed by value, since those are allocated before a call and popped on
return.
This patch avoids that by putting the locals (and thus the canary) below
the saved registers when stack smash protection is active.
The patch fixes CVE-2023-4039.
gcc/
* config/aarch64/aarch64.cc (aarch64_save_regs_above_locals_p):
New function.
(aarch64_layout_frame): Use it to decide whether locals should
go above or below the saved registers.
(aarch64_expand_prologue): Update stack layout comment.
Emit a stack tie after the final adjustment.
gcc/testsuite/
* gcc.target/aarch64/stack-protector-8.c: New test.
* gcc.target/aarch64/stack-protector-9.c: Likewise.
| gcc/config/aarch64/aarch64.cc | diffblobblamehistory | |
| gcc/testsuite/gcc.target/aarch64/stack-protector-8.c | [new file with mode: 0644] | blob |
| gcc/testsuite/gcc.target/aarch64/stack-protector-9.c | [new file with mode: 0644] | blob |