https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85434
Bug ID: 85434
Summary: Address of stack protector guard spilled to stack on
ARM
Product: gcc
Version: 8.0.1
Status: UNCONFIRMED
Keywords: diagnostic
Severity: normal
Priority: P3
Component: target
Assignee: thopre01 at gcc dot gnu.org
Reporter: thopre01 at gcc dot gnu.org
Target Milestone: ---
Target: arm-linux-gnueabihf
Created attachment 43962
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=43962&action=edit
Testcase for stack protector spilling guard address
When compiling the attached file with -mcpu=cortex-a57 -std=c99 -Os -fpic
-fstack-protector-strong the address to the stack gets spilled on the stack
where an attacker using buffer overflow could overwrite it and thus control
what is the canari checked against:
ldr r3, [sp] <--- accessing spilled address of guard from stack
mov r0, r4
ldr r2, [sp, #228]
ldr r3, [r3]
cmp r2, r3
beq .L18
bl __stack_chk_fail(PLT)
I can reproduce this on GCC 7 and trunk at least.
