Status of stack-protector

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Status of stack-protector

Jean-Daniel Dupas-2
Hello,

While I was playing with stack protector option, I found a problem.

In my test program (x86_64), the call to stack_chk_fail is generated after the 'ret' instruction and so is never reached (I'm not an x86 assembly expert, so correct me if I'm wrong on this point)

-------------------
0000000100000ea4 movq 0xd8(%rbp),%rax
0000000100000ea8 movq (%rax),%rax
0000000100000eab movq 0xf8(%rbp),%rcx
0000000100000eaf cmpq %rcx,%rax
0000000100000eb2 jne 0x00000eba
0000000100000eb4 addq $0x40,%rsp
0000000100000eb8 popq %rbp
0000000100000eb9 ret
0000000100000eba callq 0x00000ec0

The same problem occurs on x86 too. I didn't try other arch.

Is this a known issue ? 

This is my test file compiled using 

clang -fstack-protector-all -o stack stack.c

------------- stack.c --------------

#include <libc.h>

static
void test(const char *msg) {
  char buffer[8];
  bcopy(msg, buffer, strlen(msg) + 1);
  fprintf(stderr, "%s\n", buffer);
}

int main(int argc, const char **argv) {
  test("Hello World !");
  return 0;
}

------------------------

When compiled with gcc, the execution is properly aborted at the end of the test function, but not when compiled with clang.

-- Jean-Daniel





_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Status of stack-protector

Jean-Daniel Dupas-2
My bad. I just read a little more how the stack guard works, and saw that the position of the call is good. 
My problem is elsewhere as the behavior is not the same with GCC and clang. I will dig a little deeper to see what the difference is.

Le 8 janv. 2010 à 15:54, Jean-Daniel Dupas a écrit :

Hello,

While I was playing with stack protector option, I found a problem.

In my test program (x86_64), the call to stack_chk_fail is generated after the 'ret' instruction and so is never reached (I'm not an x86 assembly expert, so correct me if I'm wrong on this point)

-------------------
0000000100000ea4 movq 0xd8(%rbp),%rax
0000000100000ea8 movq (%rax),%rax
0000000100000eab movq 0xf8(%rbp),%rcx
0000000100000eaf cmpq %rcx,%rax
0000000100000eb2 jne 0x00000eba
0000000100000eb4 addq $0x40,%rsp
0000000100000eb8 popq %rbp
0000000100000eb9 ret
0000000100000eba callq 0x00000ec0

The same problem occurs on x86 too. I didn't try other arch.

Is this a known issue ? 

This is my test file compiled using 

clang -fstack-protector-all -o stack stack.c

------------- stack.c --------------

#include <libc.h>

static
void test(const char *msg) {
  char buffer[8];
  bcopy(msg, buffer, strlen(msg) + 1);
  fprintf(stderr, "%s\n", buffer);
}

int main(int argc, const char **argv) {
  test("Hello World !");
  return 0;
}

------------------------

When compiled with gcc, the execution is properly aborted at the end of the test function, but not when compiled with clang.

-- Jean-Daniel




_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev

-- Jean-Daniel





_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Status of stack-protector

Jean-Daniel Dupas-2
OK, so it works but only if I reduce the stack buffer size a little more. Sorry for the noise.


Le 8 janv. 2010 à 16:01, Jean-Daniel Dupas a écrit :

My bad. I just read a little more how the stack guard works, and saw that the position of the call is good. 
My problem is elsewhere as the behavior is not the same with GCC and clang. I will dig a little deeper to see what the difference is.

Le 8 janv. 2010 à 15:54, Jean-Daniel Dupas a écrit :

Hello,

While I was playing with stack protector option, I found a problem.

In my test program (x86_64), the call to stack_chk_fail is generated after the 'ret' instruction and so is never reached (I'm not an x86 assembly expert, so correct me if I'm wrong on this point)

-------------------
0000000100000ea4 movq 0xd8(%rbp),%rax
0000000100000ea8 movq (%rax),%rax
0000000100000eab movq 0xf8(%rbp),%rcx
0000000100000eaf cmpq %rcx,%rax
0000000100000eb2 jne 0x00000eba
0000000100000eb4 addq $0x40,%rsp
0000000100000eb8 popq %rbp
0000000100000eb9 ret
0000000100000eba callq 0x00000ec0

The same problem occurs on x86 too. I didn't try other arch.

Is this a known issue ? 

This is my test file compiled using 

clang -fstack-protector-all -o stack stack.c

------------- stack.c --------------

#include <libc.h>

static
void test(const char *msg) {
  char buffer[8];
  bcopy(msg, buffer, strlen(msg) + 1);
  fprintf(stderr, "%s\n", buffer);
}

int main(int argc, const char **argv) {
  test("Hello World !");
  return 0;
}

------------------------

When compiled with gcc, the execution is properly aborted at the end of the test function, but not when compiled with clang.

-- Jean-Daniel




_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev

-- Jean-Daniel




_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev

-- Jean-Daniel





_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev