-
Notifications
You must be signed in to change notification settings - Fork 10.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[StackProtector] Clear out stack protector slot #65461
Conversation
Don't leave the stack protector guard information on the stack after exiting the function. This helps to prevent information leaking.
How much code bloat do we expect from this? Adding an extra instruction to every function with a stack protector seems non-trivial. Do we want a flag for this? I noticed this only updates tests for x86 and RISCV. Do we need separate fixes for targets that have target-specific stack protector support? |
Also, have you considered a more general-purpose feature to make functions clear their stack when they return? |
As a point of comparison, Microsoft puts the check in If we want to make our stack protection stronger, we'd should consider the technique of XOR'ing RSP or RBP into the cookie, so we don't directly store the cookie in memory. If we care about size, we should outline this logic, particularly the conditional check. The simplest way to do that would be to make a I think zeroing out the entire frame is usually prohibitively expensive. |
@efriedma-quic There's a related option This is also the first in a two-part series where next I want to zero out the register holding the stack guard value before returning. As for the other platforms and target-specific SP support, I'll look into that. @rnk To clarify, |
Regarding XOR, LLVM already implements this for Windows, see Regarding
The idea is that we could make the code more compact by loading the stack cookie into a register parameter, and then calling a helper that does the comparison, so we'd get this instead:
|
This seems related to: Mind adding links to those in the commit message and PR description? I would be curious if you could also find historical context as to why GCC does this only for arm targets (IIUC). |
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96191 seems to be the historical context. |
From the feedback, I think this change may be a bit premature. As I mentioned, there's already a way to zero the stack upon entry to the function. What I really want to do is zero out the register that held the stack guard value, like in the GCC patch @nickdesaulniers pointed out. I'm going to close this and work on the register clearing instead. (I also messed up the branch with this change. Oh boy do I love Git!) |
Don't leave the stack protector guard information on the stack after exiting the function. This helps to prevent information leaking.