diff mbox

mips64: fix clobbering s0 in setjmp() [BZ #22624]

Message ID 20171217100144.27689-1-slyich@gmail.com
State New
Headers show

Commit Message

Sergei Trofimovich Dec. 17, 2017, 10:01 a.m. UTC
From: Sergei Trofimovich <slyfox@gentoo.org>

When configured as --enable-stack-protector=all glibc
inserts stack checking canary into every function
including __sigsetjmp_aux(). Stack checking code
ends up using s0 register to temporary hold address
of global canary value.

Unfortunately __sigsetjmp_aux assumes no caller' caller-save
registers should be clobbered as it stores them as-is.

The fix is to disable stack protection of __sigsetjmp_aux.

Tested on the following test:

    #include <setjmp.h>
    #include <stdio.h>

    int main() {
        jmp_buf jb;
        volatile register long s0 asm ("$s0");
        s0 = 1234;
        if (setjmp(jb) == 0)
            longjmp(jb, 1);
        printf ("$s0 = %lu\n", s0);

Without the fix:
    $ qemu-mipsn32 -L . ./mips-longjmp-bug
    $s0 = 1082346228

With the fix:
    $ qemu-mipsn32 -L . ./mips-longjmp-bug
    $s0 = 1234

Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
 sysdeps/mips/mips64/setjmp_aux.c | 5 +++++
 1 file changed, 5 insertions(+)


Joseph Myers Dec. 18, 2017, 5:24 p.m. UTC | #1
Thanks, committed.
diff mbox


diff --git a/sysdeps/mips/mips64/setjmp_aux.c b/sysdeps/mips/mips64/setjmp_aux.c
index b43c36a7d5..43fffc74bf 100644
--- a/sysdeps/mips/mips64/setjmp_aux.c
+++ b/sysdeps/mips/mips64/setjmp_aux.c
@@ -24,7 +24,12 @@ 
    pointer.  We do things this way because it's difficult to reliably
    access them in C.  */
+/* Stack protection is disabled to avoid changing s0 (or any other
+   caller-save register) before storing it to environment.
+   See BZ #22624.  */
 __sigsetjmp_aux (jmp_buf env, int savemask, long long sp, long long fp,
 		 long long gp)