| Issue |
58072
|
| Summary |
Miscompilation with ShadowCallStack + PAC-RET + -march=armv8.3a
|
| Labels |
|
| Assignees |
|
| Reporter |
pcc
|
```
> echo 'void g(void); int f(void) { g(); return 0; }' | ra/bin/clang -fsanitize=shadow-call-stack -ffixed-x18 -march=armv8.3a -mbranch-protection=pac-ret -target aarch64-linux -S -o - -x c -
.text
.section .note.gnu.property,"a",@note
.p2align 3, 0x0
.word 4
.word 16
.word 5
.asciz "GNU"
.word 3221225472
.word 4
.word 2
.word 0
.Lsec_end0:
.text
.file "-"
.globl f // -- Begin function f
.p2align 2
.type f,@function
f: // @f
.cfi_startproc
// %bb.0: // %entry
str x30, [x18], #8
.cfi_escape 0x16, 0x12, 0x02, 0x82, 0x78 //
pacia x30, sp
.cfi_negate_ra_state
stp x29, x30, [sp, #-16]! // 16-byte Folded Spill
.cfi_def_cfa_offset 16
mov x29, sp
.cfi_def_cfa w29, 16
.cfi_offset w30, -8
.cfi_offset w29, -16
bl g
mov w0, wzr
.cfi_def_cfa wsp, 16
ldp x29, x30, [sp], #16 // 16-byte Folded Reload
.cfi_def_cfa_offset 0
ldr x30, [x18, #-8]!
.cfi_restore w18
.cfi_restore w30
.cfi_restore w29
retaa
.Lfunc_end0:
.size f, .Lfunc_end0-f
.cfi_endproc
// -- End function
.ident "clang version 16.0.0"
.section ".note.GNU-stack","",@progbits
.addrsig
.addrsig_sym g
```
On return an unsigned pointer is being loaded from the shadow call stack and authenticated, which will fail because it is unsigned. The compiler should at least be using AUTIASP before the SCS load instead of RETAA, but given that the signing operation here is almost completely useless since we're using a return address loaded from the SCS instead of the one loaded from the stack it would probably be better to arrange for the pointer on the SCS to be signed instead.
![]()
_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
