https://gcc.gnu.org/bugzilla/show_bug.cgi?id=123696
Bug ID: 123696
Summary: -fsanitize=kernel-hwaddress corrupts function pointers
on x86_64
Product: gcc
Version: 16.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: ryabinin.a.a at gmail dot com
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org
Target Milestone: ---
Created attachment 63391
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=63391&action=edit
repro.c
When compiling with -fsanitize=kernel-hwaddress, GCC emits code that masks off
the top bits of a function pointer before an indirect call. This behavior
matches userspace HWASan assumptions but is incorrect for the kernel, where
function pointers have high address bits set.
$ cat cc_hwasan_bug.c
struct g {
int a;
void (*call)(void);
};
void f(struct g *g_call)
{
g_call->call();
}
$ gcc -O2 -S -fsanitize=kernel-hwaddress gcc_hwasan_bug.c
$ cat gcc_hwasan_bug.s
....
f:
pushq %rbx
movq %rdi, %rbx
leaq 8(%rdi), %rdi
call __hwasan_load8_noabort
movabsq $-9079256848778919937, %rax
andq 8(%rbx), %rax
popq %rbx
jmp *%rax
