diff options
| author | Martin Storsjö <martin@martin.st> | 2020-05-14 13:16:22 +0300 |
|---|---|---|
| committer | Martin Storsjö <martin@martin.st> | 2020-05-14 13:18:53 +0300 |
| commit | b585f051c365bbada36bd066dd0a8a237fbf9dca (patch) | |
| tree | 7caad11544dd4d488a140eeb0256d17b4a941f61 | |
| parent | b878d75dc2e5915eedfb79c4721481ff28251523 (diff) | |
checkasm: arm: Offset the location of the stack canary reference
If the maximum number of arguments (currently 15) is changed into
an even number, and a function actually takes the full number of
arguments, we would have the situation where the checked spot on
the stack is at the same place as we store an inverted copy of it.
We already allocate enough space for two values though (for stack
alignment purposes, 16 bytes on arm64 and 8 bytes on arm32) so by
storing the reference in the upper half of this, the lower half of
it works as canary and isn't overwritten.
| -rw-r--r-- | tests/checkasm/arm/checkasm_32.S | 4 | ||||
| -rw-r--r-- | tests/checkasm/arm/checkasm_64.S | 4 |
2 files changed, 4 insertions, 4 deletions
diff --git a/tests/checkasm/arm/checkasm_32.S b/tests/checkasm/arm/checkasm_32.S index 2d1c0ae..a186ef8 100644 --- a/tests/checkasm/arm/checkasm_32.S +++ b/tests/checkasm/arm/checkasm_32.S @@ -96,7 +96,7 @@ function checked_call_\variant, export=1 @ e.g. overwriting everything with zero would be noticed. ldr r12, [sp, r12, lsl #2] mvn r12, r12 - str r12, [sp, #ARG_STACK_A - 8] + str r12, [sp, #ARG_STACK_A - 4] mov r12, r0 mov r0, r2 @@ -108,7 +108,7 @@ function checked_call_\variant, export=1 @ Load the number of stack parameters, stack canary and its reference ldr r12, [sp, #ARG_STACK_A + pushed + 8 + 4*(MAX_ARGS-4)] ldr r2, [sp, r12, lsl #2] - ldr r3, [sp, #ARG_STACK_A - 8] + ldr r3, [sp, #ARG_STACK_A - 4] add sp, sp, #ARG_STACK_A push {r0, r1} diff --git a/tests/checkasm/arm/checkasm_64.S b/tests/checkasm/arm/checkasm_64.S index 44dc650..2574914 100644 --- a/tests/checkasm/arm/checkasm_64.S +++ b/tests/checkasm/arm/checkasm_64.S @@ -131,7 +131,7 @@ function checked_call, export=1 // e.g. overwriting everything with zero would be noticed. ldr x2, [sp, x2, lsl #3] mvn x2, x2 - str x2, [sp, #ARG_STACK-16] + str x2, [sp, #ARG_STACK-8] // Load the in-register arguments mov x12, x0 @@ -145,7 +145,7 @@ function checked_call, export=1 // Load the number of stack parameters, stack canary and its reference ldr w2, [x29, #16 + 8*8 + (MAX_ARGS-8)*8] ldr x2, [sp, x2, lsl #3] - ldr x3, [sp, #ARG_STACK-16] + ldr x3, [sp, #ARG_STACK-8] add sp, sp, #ARG_STACK stp x0, x1, [sp, #-16]! |