https://llvm.org/bugs/show_bug.cgi?id=24339
Bug ID: 24339 Summary: SafeStack: should not rely on nocapture function attribute Product: libraries Version: trunk Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P Component: Miscellaneous Instrumentation passes Assignee: unassignedb...@nondot.org Reporter: pe...@pcc.me.uk CC: llvmbugs@cs.uiuc.edu Classification: Unclassified Test case by Zoxc on IRC. The a local stays on the safe stack while we would expect it to be moved to the unsafe stack because of the unsafe accesses in "test". $ cat foo.c #include <stdio.h> __attribute__((noinline)) void test(char *a) { *a = 3; a[0x2000] = 5; // I'm bad } __attribute__((noinline)) int main() { char a[0x1000]; test(a); return 0; } $ ~/src/llvm-build-rel/bin/clang -fsanitize=safe-stack -S -o - foo.c -O2 .text .file "gistfile1.c" .globl test .align 16, 0x90 .type test,@function test: # @test .cfi_startproc # BB#0: movb $3, (%rdi) movb $5, 8192(%rdi) retq .Lfunc_end0: .size test, .Lfunc_end0-test .cfi_endproc .globl main .align 16, 0x90 .type main,@function main: # @main .cfi_startproc # BB#0: subq $4104, %rsp # imm = 0x1008 .Ltmp0: .cfi_def_cfa_offset 4112 leaq (%rsp), %rdi callq test xorl %eax, %eax addq $4104, %rsp # imm = 0x1008 retq .Lfunc_end1: .size main, .Lfunc_end1-main .cfi_endproc .ident "clang version 3.8.0 (trunk 242286) (llvm/trunk 242423)" .section ".note.GNU-stack","",@progbits The underlying problem here is that we are marking the a parameter with the nocapture attribute, and the safe stack pass assumes that locals passed as nocapture parameters can be moved to the unsafe stack, as the callee cannot leak the safe stack address. However, this attribute does not also imply that the parameter cannot be accessed out of bounds, so we cannot rely only on the presence of nocapture to keep locals on the unsafe stack. -- You are receiving this mail because: You are on the CC list for the bug.
_______________________________________________ LLVMbugs mailing list LLVMbugs@cs.uiuc.edu http://lists.cs.uiuc.edu/mailman/listinfo/llvmbugs