This is the mail archive of the libc-ports@sources.redhat.com mailing list for the libc-ports project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[RFC] [PATCH] [Aarch64] : Stack guard support in glibc

From: Venkataramanan Kumar <venkataramanan dot kumar at linaro dot org>
To: libc-ports at sourceware dot org, Marcus Shawcroft <marcus dot shawcroft at arm dot com>, Marcus Shawcroft <marcus dot shawcroft at gmail dot com>, Patch Tracking <patch at linaro dot org>
Date: Mon, 26 Aug 2013 09:45:15 +0530
Subject: [RFC] [PATCH] [Aarch64] : Stack guard support in glibc
Authentication-results: sourceware.org; auth=none

Hi Maintainers,

Attached is RFC patch that adds stack guard support in glibc for
Aarch64 for review.

The TCB is 16 bytes in Aarch64 and tp points to the dtvt. Before the
TCB, the pthread structure is placed. This patch places the stack
guard (SG) and pointer gaurd variable (PG) between the TCB and pthread
structures.

We can access thread pointer using "msr" instruction, the compiler
will generate the following assembly to access the stack guard placed
before the TCB .

msr tpidr_el0, x0
ldr x1, [x0-8]


                       tp
                        |
 pthread            v
 -----------------------------
|         |PG|SG| dtvt|  |
 ------------------------------
                       TCB


I did a quick check by building eglibc and moving the built runtime
linker ld-linux-aarch64.so,1 and libc "libc.so.2.17.90" to the V8
model running open embedded image.

And ran the following test case using "ld-linux-aarch64.so.1 --library
./libc.so test.out 1" where libc.so points to newly built one.

---test.c---
#include <string.h>
#include <stdio.h>

void test_stack_smashing(int corrupt)
{
    long stack_val,temp;

    char arr[5];
    char * ptr = arr;

    if (!corrupt)

    {
        strcpy( ptr,"abcd");
        printf("copied string is %s\n",ptr);
    }
    else
    {

        printf("overflowing the buffer and hitting the canary now\n");
            memset (ptr,0,12);
        printf("Overwritten the buffer\n" );

              asm("mrs %0, tpidr_el0\n" "ldr %1, [%0,-8]\n" : "=r"
(stack_val) : "r" (temp));
        printf(" Canary value is %x\n", stack_val);

    }

}

int main(char *argc, char *argv[])
{

    if (0 == strcmp(argv[1],"0"))
    {
        test_stack_smashing(0);
        printf("Passed Canary test\n");
    }
    else
    {
        test_stack_smashing(1);
        printf("Failed Canary test\n");
    }
    return 0;
}

And without patch I got:

(Snip)
overflowing the buffer and hitting the canary now
Overwritten the buffer
 Canary value is 0
Failed Canary test
(Snip)

Canary value is zero and this happens without my change because I
believe there is already space between TCB and pthread nodes due to
alignment enforcement.

With the path:

(Snip)
overflowing the buffer and hitting the canary now
Overwritten the buffer
 Canary value is 9900cf00
*** stack smashing detected ***: ./a.out terminated
Aborted
(Snip)

I also checked the canary value and keeps changing from run to run.

regards,
Venkat.

Attachment: glibc.tls.stack.guard.aarch64.diff
Description: Binary data

Follow-Ups:
- Re: [RFC] [PATCH] [Aarch64] : Stack guard support in glibc
  - From: Carlos O'Donell

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]