https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90154
Bug ID: 90154
Summary: aarch64: insufficient check for
aarch64_stack_protector_guard_reg_str
Product: gcc
Version: 9.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: target
Assignee: unassigned at gcc dot gnu.org
Reporter: roland.illig at gmx dot de
Target Milestone: ---
From aarch64.c:
if (opts->x_aarch64_stack_protector_guard_reg_str)
{
if (strlen (opts->x_aarch64_stack_protector_guard_reg_str) > 100)
error ("specify a system register with a small string length.");
}
As the German translator I stumbled upon this error message and I had to dig
into the code to find a proper translation for it. Now I have the following
questions:
What are the valid register names?
Is any of these possible names longer than 5 characters?
Why the arbitrary limit on 100 characters?
Where can I find the list of sensible register names to use?
The term "with a small string length" is really confusing. Granted, no one will
ever see this message. Nevertheless, even if I specify "abcde" as the register
name, it will probably be incorrect, and the generated code will be wrong.
I could also launch an Assembly Injection attack on this piece of code by
specifying "0" or "0; halt" or something similar as the register name. I don't
know anything about AArch64 assembly, therefore I'm not the ideal person to
launch this attack. But someone else could.
Having this diagnostic just because of the following code is a lame excuse:
char buf[150];
snprintf (buf, 150, "mrs\\t%%<w>0, %s",
aarch64_stack_protector_guard_reg_str);
Why not use a dynamically allocated string? Since this is the GCC code, it
should be even simpler than allocating a local buffer. There's probably an
asprintf lying around.
