Message ID | 20211218121941.7295-1-soeren@soeren-tempel.net |
---|---|
State | New |
Headers |
Return-Path: <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 20F1C3858005 for <patchwork@sourceware.org>; Sat, 18 Dec 2021 12:20:19 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 20F1C3858005 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1639830019; bh=6KFkn1BPxvhXuG3emWtv2FwU0zyGDh9bemFR+s1LhnA=; h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=UlsSNYHgPhDUjraoj595XVrf3WkTqHafcV0DvaHSx4vsrA7qGRozNxBUya0Ah7fWd xr9nDGKLj21uSJ7nMGdLFFK+7Rxfq2WyFQtXVbTaXMYbJI3KNGHPxv+ZzecXEXgqWz e2NiUFnn0Q2CeF4AjrcLa5vVYZOB22V+DJRw4DZA= X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from magnesium.8pit.net (magnesium.8pit.net [45.76.88.171]) by sourceware.org (Postfix) with ESMTP id F22A33858D28; Sat, 18 Dec 2021 12:19:48 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org F22A33858D28 Received: from localhost (ip5f5ae040.dynamic.kabel-deutschland.de [95.90.224.64]) by magnesium.8pit.net (OpenSMTPD) with ESMTPSA id 34c2f470 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:YES); Sat, 18 Dec 2021 13:19:47 +0100 (CET) To: gcc-patches@gcc.gnu.org Subject: [PATCH v2] Disable -fsplit-stack support on non-glibc targets Date: Sat, 18 Dec 2021 13:19:41 +0100 Message-Id: <20211218121941.7295-1-soeren@soeren-tempel.net> X-Mailer: git-send-email 2.34.1 In-Reply-To: <CA+=Sn1=2KNPQe6Y5yrMQH3w-V1KrmvLaxyp=jhauFqCbbYuJXA@mail.gmail.com> References: <CA+=Sn1=2KNPQe6Y5yrMQH3w-V1KrmvLaxyp=jhauFqCbbYuJXA@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-12.7 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org> List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe> List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/> List-Post: <mailto:gcc-patches@gcc.gnu.org> List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help> List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe> From: soeren--- via Gcc-patches <gcc-patches@gcc.gnu.org> Reply-To: soeren@soeren-tempel.net Errors-To: gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org Sender: "Gcc-patches" <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org> |
Series |
[v2] Disable -fsplit-stack support on non-glibc targets
|
|
Commit Message
Li, Pan2 via Gcc-patches
Dec. 18, 2021, 12:19 p.m. UTC
From: Sören Tempel <soeren@soeren-tempel.net> The -fsplit-stack option requires the pthread_t TCB definition in the libc to provide certain struct fields at specific hardcoded offsets. As far as I know, only glibc provides these fields at the required offsets. Most notably, musl libc does not have these fields. However, since gcc accesses the fields using a fixed offset, this does not cause a compile-time error, but instead results in a silent memory corruption at run-time with musl libc. For example, on s390x libgcc's __stack_split_initialize CTOR will overwrite the cancel field in the pthread_t TCB on musl. The -fsplit-stack option is used within the gcc code base itself by gcc-go (if available). On musl-based systems with split-stack support (i.e. s390x or x86) this causes Go programs compiled with gcc-go to misbehave at run-time. This patch fixes gcc-go on musl by disabling -fsplit-stack in gcc itself since it is not supported on non-glibc targets anyhow. This is achieved by checking if gcc targets a glibc-based system. This check has been added for x86 and s390x, the rs6000 config already checks for TARGET_GLIBC_MAJOR. Other architectures do not have split-stack support. With this patch applied, the gcc-go configure script will detect that -fsplit-stack support is not available and will not use it. See https://www.openwall.com/lists/musl/2012/10/16/12 This patch was written under the assumption that glibc is the only libc implementation which supports the required fields at the required offsets in the pthread_t TCB. The patch has been tested on Alpine Linux Edge on the s390x and x86 architectures by bootstrapping Google's Go implementation with gcc-go. Signed-off-by: Sören Tempel <soeren@soeren-tempel.net> gcc/ChangeLog: * common/config/s390/s390-common.c (s390_supports_split_stack): Only support split-stack on glibc targets. * config/i386/gnu-user-common.h (STACK_CHECK_STATIC_BUILTIN): Ditto. * config/i386/gnu.h (defined): Ditto. --- This version of the patch addresses feedback by Andrew Pinski and uses OPTION_GLIBC as well as opts->x_linux_libc == LIBC_GLIBC to detect glibc targets (instead of relying on TARGET_GLIBC_MAJOR). gcc/common/config/s390/s390-common.c | 11 +++++++++-- gcc/config/i386/gnu-user-common.h | 5 +++-- gcc/config/i386/gnu.h | 6 +++++- 3 files changed, 17 insertions(+), 5 deletions(-)
Comments
Ping. Summary: Patch disable -fstack-split on non-glibc targets to prevent corruptions of the TCB on libcs which do not support the required fields in pthread_t. This is an important fix for having gccgo work on musl by default. See: https://gcc.gnu.org/pipermail/gcc-patches/2021-December/587142.html If the patch needs to be revised further please let me know. Greetings, Sören Sören Tempel <soeren@soeren-tempel.net> wrote: > The -fsplit-stack option requires the pthread_t TCB definition in the > libc to provide certain struct fields at specific hardcoded offsets. As > far as I know, only glibc provides these fields at the required offsets. > Most notably, musl libc does not have these fields. However, since gcc > accesses the fields using a fixed offset, this does not cause a > compile-time error, but instead results in a silent memory corruption at > run-time with musl libc. For example, on s390x libgcc's > __stack_split_initialize CTOR will overwrite the cancel field in the > pthread_t TCB on musl. > > The -fsplit-stack option is used within the gcc code base itself by > gcc-go (if available). On musl-based systems with split-stack support > (i.e. s390x or x86) this causes Go programs compiled with gcc-go to > misbehave at run-time. > > This patch fixes gcc-go on musl by disabling -fsplit-stack in gcc itself > since it is not supported on non-glibc targets anyhow. This is achieved > by checking if gcc targets a glibc-based system. This check has been > added for x86 and s390x, the rs6000 config already checks for > TARGET_GLIBC_MAJOR. Other architectures do not have split-stack > support. With this patch applied, the gcc-go configure script will > detect that -fsplit-stack support is not available and will not use it. > > See https://www.openwall.com/lists/musl/2012/10/16/12 > > This patch was written under the assumption that glibc is the only libc > implementation which supports the required fields at the required > offsets in the pthread_t TCB. The patch has been tested on Alpine Linux > Edge on the s390x and x86 architectures by bootstrapping Google's Go > implementation with gcc-go. > > Signed-off-by: Sören Tempel <soeren@soeren-tempel.net> > > gcc/ChangeLog: > > * common/config/s390/s390-common.c (s390_supports_split_stack): > Only support split-stack on glibc targets. > * config/i386/gnu-user-common.h (STACK_CHECK_STATIC_BUILTIN): Ditto. > * config/i386/gnu.h (defined): Ditto. > --- > This version of the patch addresses feedback by Andrew Pinski and uses > OPTION_GLIBC as well as opts->x_linux_libc == LIBC_GLIBC to detect glibc > targets (instead of relying on TARGET_GLIBC_MAJOR). > > gcc/common/config/s390/s390-common.c | 11 +++++++++-- > gcc/config/i386/gnu-user-common.h | 5 +++-- > gcc/config/i386/gnu.h | 6 +++++- > 3 files changed, 17 insertions(+), 5 deletions(-) > > diff --git a/gcc/common/config/s390/s390-common.c b/gcc/common/config/s390/s390-common.c > index b6bc8501742..fc86e0bc5e7 100644 > --- a/gcc/common/config/s390/s390-common.c > +++ b/gcc/common/config/s390/s390-common.c > @@ -116,13 +116,20 @@ s390_handle_option (struct gcc_options *opts ATTRIBUTE_UNUSED, > > /* -fsplit-stack uses a field in the TCB, available with glibc-2.23. > We don't verify it, since earlier versions just have padding at > - its place, which works just as well. */ > + its place, which works just as well. For other libc implementations > + we disable the feature entirely to avoid corrupting the TCB. */ > > static bool > s390_supports_split_stack (bool report ATTRIBUTE_UNUSED, > struct gcc_options *opts ATTRIBUTE_UNUSED) > { > - return true; > + if (opts->x_linux_libc == LIBC_GLIBC) { > + return true; > + } else { > + if (report) > + error("%<-fsplit-stack%> currently only supported on GNU/Linux"); > + return false; > + } > } > > #undef TARGET_DEFAULT_TARGET_FLAGS > diff --git a/gcc/config/i386/gnu-user-common.h b/gcc/config/i386/gnu-user-common.h > index 00226f5a455..6e13315b5a3 100644 > --- a/gcc/config/i386/gnu-user-common.h > +++ b/gcc/config/i386/gnu-user-common.h > @@ -66,7 +66,8 @@ along with GCC; see the file COPYING3. If not see > #define STACK_CHECK_STATIC_BUILTIN 1 > > /* We only build the -fsplit-stack support in libgcc if the > - assembler has full support for the CFI directives. */ > -#if HAVE_GAS_CFI_PERSONALITY_DIRECTIVE > + assembler has full support for the CFI directives and > + targets glibc. */ > +#if HAVE_GAS_CFI_PERSONALITY_DIRECTIVE && OPTION_GLIBC > #define TARGET_CAN_SPLIT_STACK > #endif > diff --git a/gcc/config/i386/gnu.h b/gcc/config/i386/gnu.h > index 25fbc07f58c..adfe817201e 100644 > --- a/gcc/config/i386/gnu.h > +++ b/gcc/config/i386/gnu.h > @@ -35,7 +35,11 @@ along with GCC. If not, see <http://www.gnu.org/licenses/>. > crti.o%s %{static:crtbeginT.o%s;shared|pie:crtbeginS.o%s;:crtbegin.o%s}" > #endif > > -#ifdef TARGET_LIBC_PROVIDES_SSP > +/* -fsplit-stack uses a field in the TCB at a fixed offset. This > + field is only available for glibc. Disable -fsplit-stack for > + other libc implementation to avoid silent TCB corruptions. */ > + > +#if defined (TARGET_LIBC_PROVIDES_SSP) && OPTION_GLIBC > > /* i386 glibc provides __stack_chk_guard in %gs:0x14. */ > #define TARGET_THREAD_SSP_OFFSET 0x14
cc:ing the x86 and s390 maintainers soeren--- via Gcc-patches <gcc-patches@gcc.gnu.org> writes: > From: Sören Tempel <soeren@soeren-tempel.net> > > The -fsplit-stack option requires the pthread_t TCB definition in the > libc to provide certain struct fields at specific hardcoded offsets. As > far as I know, only glibc provides these fields at the required offsets. > Most notably, musl libc does not have these fields. However, since gcc > accesses the fields using a fixed offset, this does not cause a > compile-time error, but instead results in a silent memory corruption at > run-time with musl libc. For example, on s390x libgcc's > __stack_split_initialize CTOR will overwrite the cancel field in the > pthread_t TCB on musl. > > The -fsplit-stack option is used within the gcc code base itself by > gcc-go (if available). On musl-based systems with split-stack support > (i.e. s390x or x86) this causes Go programs compiled with gcc-go to > misbehave at run-time. > > This patch fixes gcc-go on musl by disabling -fsplit-stack in gcc itself > since it is not supported on non-glibc targets anyhow. This is achieved > by checking if gcc targets a glibc-based system. This check has been > added for x86 and s390x, the rs6000 config already checks for > TARGET_GLIBC_MAJOR. Other architectures do not have split-stack > support. With this patch applied, the gcc-go configure script will > detect that -fsplit-stack support is not available and will not use it. > > See https://www.openwall.com/lists/musl/2012/10/16/12 > > This patch was written under the assumption that glibc is the only libc > implementation which supports the required fields at the required > offsets in the pthread_t TCB. The patch has been tested on Alpine Linux > Edge on the s390x and x86 architectures by bootstrapping Google's Go > implementation with gcc-go. > > Signed-off-by: Sören Tempel <soeren@soeren-tempel.net> > > gcc/ChangeLog: > > * common/config/s390/s390-common.c (s390_supports_split_stack): > Only support split-stack on glibc targets. > * config/i386/gnu-user-common.h (STACK_CHECK_STATIC_BUILTIN): Ditto. > * config/i386/gnu.h (defined): Ditto. > --- > This version of the patch addresses feedback by Andrew Pinski and uses > OPTION_GLIBC as well as opts->x_linux_libc == LIBC_GLIBC to detect glibc > targets (instead of relying on TARGET_GLIBC_MAJOR). > > gcc/common/config/s390/s390-common.c | 11 +++++++++-- > gcc/config/i386/gnu-user-common.h | 5 +++-- > gcc/config/i386/gnu.h | 6 +++++- > 3 files changed, 17 insertions(+), 5 deletions(-) Sorry for the slow review. The patch LGTM bar some minor formatting nits below, but target maintainers should have the final say. > diff --git a/gcc/common/config/s390/s390-common.c b/gcc/common/config/s390/s390-common.c > index b6bc8501742..fc86e0bc5e7 100644 > --- a/gcc/common/config/s390/s390-common.c > +++ b/gcc/common/config/s390/s390-common.c > @@ -116,13 +116,20 @@ s390_handle_option (struct gcc_options *opts ATTRIBUTE_UNUSED, > > /* -fsplit-stack uses a field in the TCB, available with glibc-2.23. > We don't verify it, since earlier versions just have padding at > - its place, which works just as well. */ > + its place, which works just as well. For other libc implementations GCC style is to use 2 spaces after a full stop. Same for the x86 part. > + we disable the feature entirely to avoid corrupting the TCB. */ > > static bool > s390_supports_split_stack (bool report ATTRIBUTE_UNUSED, > struct gcc_options *opts ATTRIBUTE_UNUSED) These parameters are no longer unused after the patch, so it'd be good to remove the attributes. > { > - return true; > + if (opts->x_linux_libc == LIBC_GLIBC) { > + return true; > + } else { > + if (report) > + error("%<-fsplit-stack%> currently only supported on GNU/Linux"); > + return false; > + } Normal GCC formatting would be something like: if (opts->x_linux_libc == LIBC_GLIBC) return true; if (report) error ("%<-fsplit-stack%> currently only supported on GNU/Linux"); return false; Sorry for the fussy rules. Thanks, Richard > } > > #undef TARGET_DEFAULT_TARGET_FLAGS > diff --git a/gcc/config/i386/gnu-user-common.h b/gcc/config/i386/gnu-user-common.h > index 00226f5a455..6e13315b5a3 100644 > --- a/gcc/config/i386/gnu-user-common.h > +++ b/gcc/config/i386/gnu-user-common.h > @@ -66,7 +66,8 @@ along with GCC; see the file COPYING3. If not see > #define STACK_CHECK_STATIC_BUILTIN 1 > > /* We only build the -fsplit-stack support in libgcc if the > - assembler has full support for the CFI directives. */ > -#if HAVE_GAS_CFI_PERSONALITY_DIRECTIVE > + assembler has full support for the CFI directives and > + targets glibc. */ > +#if HAVE_GAS_CFI_PERSONALITY_DIRECTIVE && OPTION_GLIBC > #define TARGET_CAN_SPLIT_STACK > #endif > diff --git a/gcc/config/i386/gnu.h b/gcc/config/i386/gnu.h > index 25fbc07f58c..adfe817201e 100644 > --- a/gcc/config/i386/gnu.h > +++ b/gcc/config/i386/gnu.h > @@ -35,7 +35,11 @@ along with GCC. If not, see <http://www.gnu.org/licenses/>. > crti.o%s %{static:crtbeginT.o%s;shared|pie:crtbeginS.o%s;:crtbegin.o%s}" > #endif > > -#ifdef TARGET_LIBC_PROVIDES_SSP > +/* -fsplit-stack uses a field in the TCB at a fixed offset. This > + field is only available for glibc. Disable -fsplit-stack for > + other libc implementation to avoid silent TCB corruptions. */ > + > +#if defined (TARGET_LIBC_PROVIDES_SSP) && OPTION_GLIBC > > /* i386 glibc provides __stack_chk_guard in %gs:0x14. */ > #define TARGET_THREAD_SSP_OFFSET 0x14
On 1/20/22 23:52, Richard Sandiford wrote: > cc:ing the x86 and s390 maintainers > > soeren--- via Gcc-patches <gcc-patches@gcc.gnu.org> writes: >> From: Sören Tempel <soeren@soeren-tempel.net> >> >> The -fsplit-stack option requires the pthread_t TCB definition in the >> libc to provide certain struct fields at specific hardcoded offsets. As >> far as I know, only glibc provides these fields at the required offsets. >> Most notably, musl libc does not have these fields. However, since gcc >> accesses the fields using a fixed offset, this does not cause a >> compile-time error, but instead results in a silent memory corruption at >> run-time with musl libc. For example, on s390x libgcc's >> __stack_split_initialize CTOR will overwrite the cancel field in the >> pthread_t TCB on musl. >> >> The -fsplit-stack option is used within the gcc code base itself by >> gcc-go (if available). On musl-based systems with split-stack support >> (i.e. s390x or x86) this causes Go programs compiled with gcc-go to >> misbehave at run-time. >> >> This patch fixes gcc-go on musl by disabling -fsplit-stack in gcc itself >> since it is not supported on non-glibc targets anyhow. This is achieved >> by checking if gcc targets a glibc-based system. This check has been >> added for x86 and s390x, the rs6000 config already checks for >> TARGET_GLIBC_MAJOR. Other architectures do not have split-stack >> support. With this patch applied, the gcc-go configure script will >> detect that -fsplit-stack support is not available and will not use it. >> >> See https://www.openwall.com/lists/musl/2012/10/16/12 >> >> This patch was written under the assumption that glibc is the only libc >> implementation which supports the required fields at the required >> offsets in the pthread_t TCB. The patch has been tested on Alpine Linux >> Edge on the s390x and x86 architectures by bootstrapping Google's Go >> implementation with gcc-go. >> >> Signed-off-by: Sören Tempel <soeren@soeren-tempel.net> >> >> gcc/ChangeLog: >> >> * common/config/s390/s390-common.c (s390_supports_split_stack): >> Only support split-stack on glibc targets. >> * config/i386/gnu-user-common.h (STACK_CHECK_STATIC_BUILTIN): Ditto. >> * config/i386/gnu.h (defined): Ditto. s390 parts are ok. Thanks! Andreas >> --- >> This version of the patch addresses feedback by Andrew Pinski and uses >> OPTION_GLIBC as well as opts->x_linux_libc == LIBC_GLIBC to detect glibc >> targets (instead of relying on TARGET_GLIBC_MAJOR). >> >> gcc/common/config/s390/s390-common.c | 11 +++++++++-- >> gcc/config/i386/gnu-user-common.h | 5 +++-- >> gcc/config/i386/gnu.h | 6 +++++- >> 3 files changed, 17 insertions(+), 5 deletions(-) > > Sorry for the slow review. The patch LGTM bar some minor formatting > nits below, but target maintainers should have the final say. > >> diff --git a/gcc/common/config/s390/s390-common.c b/gcc/common/config/s390/s390-common.c >> index b6bc8501742..fc86e0bc5e7 100644 >> --- a/gcc/common/config/s390/s390-common.c >> +++ b/gcc/common/config/s390/s390-common.c >> @@ -116,13 +116,20 @@ s390_handle_option (struct gcc_options *opts ATTRIBUTE_UNUSED, >> >> /* -fsplit-stack uses a field in the TCB, available with glibc-2.23. >> We don't verify it, since earlier versions just have padding at >> - its place, which works just as well. */ >> + its place, which works just as well. For other libc implementations > > GCC style is to use 2 spaces after a full stop. Same for the x86 part. > >> + we disable the feature entirely to avoid corrupting the TCB. */ >> >> static bool >> s390_supports_split_stack (bool report ATTRIBUTE_UNUSED, >> struct gcc_options *opts ATTRIBUTE_UNUSED) > > These parameters are no longer unused after the patch, so it'd be good > to remove the attributes. > >> { >> - return true; >> + if (opts->x_linux_libc == LIBC_GLIBC) { >> + return true; >> + } else { >> + if (report) >> + error("%<-fsplit-stack%> currently only supported on GNU/Linux"); >> + return false; >> + } > > Normal GCC formatting would be something like: > > if (opts->x_linux_libc == LIBC_GLIBC) > return true; > > if (report) > error ("%<-fsplit-stack%> currently only supported on GNU/Linux"); > return false; > > Sorry for the fussy rules. > > Thanks, > Richard > >> } >> >> #undef TARGET_DEFAULT_TARGET_FLAGS >> diff --git a/gcc/config/i386/gnu-user-common.h b/gcc/config/i386/gnu-user-common.h >> index 00226f5a455..6e13315b5a3 100644 >> --- a/gcc/config/i386/gnu-user-common.h >> +++ b/gcc/config/i386/gnu-user-common.h >> @@ -66,7 +66,8 @@ along with GCC; see the file COPYING3. If not see >> #define STACK_CHECK_STATIC_BUILTIN 1 >> >> /* We only build the -fsplit-stack support in libgcc if the >> - assembler has full support for the CFI directives. */ >> -#if HAVE_GAS_CFI_PERSONALITY_DIRECTIVE >> + assembler has full support for the CFI directives and >> + targets glibc. */ >> +#if HAVE_GAS_CFI_PERSONALITY_DIRECTIVE && OPTION_GLIBC >> #define TARGET_CAN_SPLIT_STACK >> #endif >> diff --git a/gcc/config/i386/gnu.h b/gcc/config/i386/gnu.h >> index 25fbc07f58c..adfe817201e 100644 >> --- a/gcc/config/i386/gnu.h >> +++ b/gcc/config/i386/gnu.h >> @@ -35,7 +35,11 @@ along with GCC. If not, see <http://www.gnu.org/licenses/>. >> crti.o%s %{static:crtbeginT.o%s;shared|pie:crtbeginS.o%s;:crtbegin.o%s}" >> #endif >> >> -#ifdef TARGET_LIBC_PROVIDES_SSP >> +/* -fsplit-stack uses a field in the TCB at a fixed offset. This >> + field is only available for glibc. Disable -fsplit-stack for >> + other libc implementation to avoid silent TCB corruptions. */ >> + >> +#if defined (TARGET_LIBC_PROVIDES_SSP) && OPTION_GLIBC >> >> /* i386 glibc provides __stack_chk_guard in %gs:0x14. */ >> #define TARGET_THREAD_SSP_OFFSET 0x14
On Thu, Jan 20, 2022 at 11:52 PM Richard Sandiford <richard.sandiford@arm.com> wrote: > > cc:ing the x86 and s390 maintainers > > soeren--- via Gcc-patches <gcc-patches@gcc.gnu.org> writes: > > From: Sören Tempel <soeren@soeren-tempel.net> > > > > The -fsplit-stack option requires the pthread_t TCB definition in the > > libc to provide certain struct fields at specific hardcoded offsets. As > > far as I know, only glibc provides these fields at the required offsets. > > Most notably, musl libc does not have these fields. However, since gcc > > accesses the fields using a fixed offset, this does not cause a > > compile-time error, but instead results in a silent memory corruption at > > run-time with musl libc. For example, on s390x libgcc's > > __stack_split_initialize CTOR will overwrite the cancel field in the > > pthread_t TCB on musl. > > > > The -fsplit-stack option is used within the gcc code base itself by > > gcc-go (if available). On musl-based systems with split-stack support > > (i.e. s390x or x86) this causes Go programs compiled with gcc-go to > > misbehave at run-time. > > > > This patch fixes gcc-go on musl by disabling -fsplit-stack in gcc itself > > since it is not supported on non-glibc targets anyhow. This is achieved > > by checking if gcc targets a glibc-based system. This check has been > > added for x86 and s390x, the rs6000 config already checks for > > TARGET_GLIBC_MAJOR. Other architectures do not have split-stack > > support. With this patch applied, the gcc-go configure script will > > detect that -fsplit-stack support is not available and will not use it. > > > > See https://www.openwall.com/lists/musl/2012/10/16/12 > > > > This patch was written under the assumption that glibc is the only libc > > implementation which supports the required fields at the required > > offsets in the pthread_t TCB. The patch has been tested on Alpine Linux > > Edge on the s390x and x86 architectures by bootstrapping Google's Go > > implementation with gcc-go. > > > > Signed-off-by: Sören Tempel <soeren@soeren-tempel.net> > > > > gcc/ChangeLog: > > > > * common/config/s390/s390-common.c (s390_supports_split_stack): > > Only support split-stack on glibc targets. > > * config/i386/gnu-user-common.h (STACK_CHECK_STATIC_BUILTIN): Ditto. > > * config/i386/gnu.h (defined): Ditto. LGTM for x86 parts. Thanks, Uros. > > --- > > This version of the patch addresses feedback by Andrew Pinski and uses > > OPTION_GLIBC as well as opts->x_linux_libc == LIBC_GLIBC to detect glibc > > targets (instead of relying on TARGET_GLIBC_MAJOR). > > > > gcc/common/config/s390/s390-common.c | 11 +++++++++-- > > gcc/config/i386/gnu-user-common.h | 5 +++-- > > gcc/config/i386/gnu.h | 6 +++++- > > 3 files changed, 17 insertions(+), 5 deletions(-) > > Sorry for the slow review. The patch LGTM bar some minor formatting > nits below, but target maintainers should have the final say. > > > diff --git a/gcc/common/config/s390/s390-common.c b/gcc/common/config/s390/s390-common.c > > index b6bc8501742..fc86e0bc5e7 100644 > > --- a/gcc/common/config/s390/s390-common.c > > +++ b/gcc/common/config/s390/s390-common.c > > @@ -116,13 +116,20 @@ s390_handle_option (struct gcc_options *opts ATTRIBUTE_UNUSED, > > > > /* -fsplit-stack uses a field in the TCB, available with glibc-2.23. > > We don't verify it, since earlier versions just have padding at > > - its place, which works just as well. */ > > + its place, which works just as well. For other libc implementations > > GCC style is to use 2 spaces after a full stop. Same for the x86 part. > > > + we disable the feature entirely to avoid corrupting the TCB. */ > > > > static bool > > s390_supports_split_stack (bool report ATTRIBUTE_UNUSED, > > struct gcc_options *opts ATTRIBUTE_UNUSED) > > These parameters are no longer unused after the patch, so it'd be good > to remove the attributes. > > > { > > - return true; > > + if (opts->x_linux_libc == LIBC_GLIBC) { > > + return true; > > + } else { > > + if (report) > > + error("%<-fsplit-stack%> currently only supported on GNU/Linux"); > > + return false; > > + } > > Normal GCC formatting would be something like: > > if (opts->x_linux_libc == LIBC_GLIBC) > return true; > > if (report) > error ("%<-fsplit-stack%> currently only supported on GNU/Linux"); > return false; > > Sorry for the fussy rules. > > Thanks, > Richard > > > } > > > > #undef TARGET_DEFAULT_TARGET_FLAGS > > diff --git a/gcc/config/i386/gnu-user-common.h b/gcc/config/i386/gnu-user-common.h > > index 00226f5a455..6e13315b5a3 100644 > > --- a/gcc/config/i386/gnu-user-common.h > > +++ b/gcc/config/i386/gnu-user-common.h > > @@ -66,7 +66,8 @@ along with GCC; see the file COPYING3. If not see > > #define STACK_CHECK_STATIC_BUILTIN 1 > > > > /* We only build the -fsplit-stack support in libgcc if the > > - assembler has full support for the CFI directives. */ > > -#if HAVE_GAS_CFI_PERSONALITY_DIRECTIVE > > + assembler has full support for the CFI directives and > > + targets glibc. */ > > +#if HAVE_GAS_CFI_PERSONALITY_DIRECTIVE && OPTION_GLIBC > > #define TARGET_CAN_SPLIT_STACK > > #endif > > diff --git a/gcc/config/i386/gnu.h b/gcc/config/i386/gnu.h > > index 25fbc07f58c..adfe817201e 100644 > > --- a/gcc/config/i386/gnu.h > > +++ b/gcc/config/i386/gnu.h > > @@ -35,7 +35,11 @@ along with GCC. If not, see <http://www.gnu.org/licenses/>. > > crti.o%s %{static:crtbeginT.o%s;shared|pie:crtbeginS.o%s;:crtbegin.o%s}" > > #endif > > > > -#ifdef TARGET_LIBC_PROVIDES_SSP > > +/* -fsplit-stack uses a field in the TCB at a fixed offset. This > > + field is only available for glibc. Disable -fsplit-stack for > > + other libc implementation to avoid silent TCB corruptions. */ > > + > > +#if defined (TARGET_LIBC_PROVIDES_SSP) && OPTION_GLIBC > > > > /* i386 glibc provides __stack_chk_guard in %gs:0x14. */ > > #define TARGET_THREAD_SSP_OFFSET 0x14
On Sat, Dec 18, 2021 at 4:20 AM soeren--- via Gcc-patches <gcc-patches@gcc.gnu.org> wrote: > > From: Sören Tempel <soeren@soeren-tempel.net> > > The -fsplit-stack option requires the pthread_t TCB definition in the > libc to provide certain struct fields at specific hardcoded offsets. As > far as I know, only glibc provides these fields at the required offsets. > Most notably, musl libc does not have these fields. However, since gcc > accesses the fields using a fixed offset, this does not cause a > compile-time error, but instead results in a silent memory corruption at > run-time with musl libc. For example, on s390x libgcc's > __stack_split_initialize CTOR will overwrite the cancel field in the > pthread_t TCB on musl. > > The -fsplit-stack option is used within the gcc code base itself by > gcc-go (if available). On musl-based systems with split-stack support > (i.e. s390x or x86) this causes Go programs compiled with gcc-go to > misbehave at run-time. > > This patch fixes gcc-go on musl by disabling -fsplit-stack in gcc itself > since it is not supported on non-glibc targets anyhow. This is achieved > by checking if gcc targets a glibc-based system. This check has been > added for x86 and s390x, the rs6000 config already checks for > TARGET_GLIBC_MAJOR. Other architectures do not have split-stack > support. With this patch applied, the gcc-go configure script will > detect that -fsplit-stack support is not available and will not use it. > > See https://www.openwall.com/lists/musl/2012/10/16/12 > > This patch was written under the assumption that glibc is the only libc > implementation which supports the required fields at the required > offsets in the pthread_t TCB. The patch has been tested on Alpine Linux > Edge on the s390x and x86 architectures by bootstrapping Google's Go > implementation with gcc-go. > > Signed-off-by: Sören Tempel <soeren@soeren-tempel.net> > > gcc/ChangeLog: > > * common/config/s390/s390-common.c (s390_supports_split_stack): > Only support split-stack on glibc targets. > * config/i386/gnu-user-common.h (STACK_CHECK_STATIC_BUILTIN): Ditto. > * config/i386/gnu.h (defined): Ditto. > --- > This version of the patch addresses feedback by Andrew Pinski and uses > OPTION_GLIBC as well as opts->x_linux_libc == LIBC_GLIBC to detect glibc > targets (instead of relying on TARGET_GLIBC_MAJOR). > > gcc/common/config/s390/s390-common.c | 11 +++++++++-- > gcc/config/i386/gnu-user-common.h | 5 +++-- > gcc/config/i386/gnu.h | 6 +++++- > 3 files changed, 17 insertions(+), 5 deletions(-) > > diff --git a/gcc/common/config/s390/s390-common.c b/gcc/common/config/s390/s390-common.c > index b6bc8501742..fc86e0bc5e7 100644 > --- a/gcc/common/config/s390/s390-common.c > +++ b/gcc/common/config/s390/s390-common.c > @@ -116,13 +116,20 @@ s390_handle_option (struct gcc_options *opts ATTRIBUTE_UNUSED, > > /* -fsplit-stack uses a field in the TCB, available with glibc-2.23. > We don't verify it, since earlier versions just have padding at > - its place, which works just as well. */ > + its place, which works just as well. For other libc implementations > + we disable the feature entirely to avoid corrupting the TCB. */ > > static bool > s390_supports_split_stack (bool report ATTRIBUTE_UNUSED, > struct gcc_options *opts ATTRIBUTE_UNUSED) > { > - return true; > + if (opts->x_linux_libc == LIBC_GLIBC) { > + return true; > + } else { > + if (report) > + error("%<-fsplit-stack%> currently only supported on GNU/Linux"); > + return false; > + } > } > > #undef TARGET_DEFAULT_TARGET_FLAGS > diff --git a/gcc/config/i386/gnu-user-common.h b/gcc/config/i386/gnu-user-common.h > index 00226f5a455..6e13315b5a3 100644 > --- a/gcc/config/i386/gnu-user-common.h > +++ b/gcc/config/i386/gnu-user-common.h > @@ -66,7 +66,8 @@ along with GCC; see the file COPYING3. If not see > #define STACK_CHECK_STATIC_BUILTIN 1 > > /* We only build the -fsplit-stack support in libgcc if the > - assembler has full support for the CFI directives. */ > -#if HAVE_GAS_CFI_PERSONALITY_DIRECTIVE > + assembler has full support for the CFI directives and > + targets glibc. */ > +#if HAVE_GAS_CFI_PERSONALITY_DIRECTIVE && OPTION_GLIBC OPTION_GLIBC can't be used here since OPTION_GLIBC is evaluated at run-time: https://gcc.gnu.org/pipermail/gcc-regression/2022-January/076271.html > #define TARGET_CAN_SPLIT_STACK > #endif > diff --git a/gcc/config/i386/gnu.h b/gcc/config/i386/gnu.h > index 25fbc07f58c..adfe817201e 100644 > --- a/gcc/config/i386/gnu.h > +++ b/gcc/config/i386/gnu.h > @@ -35,7 +35,11 @@ along with GCC. If not, see <http://www.gnu.org/licenses/>. > crti.o%s %{static:crtbeginT.o%s;shared|pie:crtbeginS.o%s;:crtbegin.o%s}" > #endif > > -#ifdef TARGET_LIBC_PROVIDES_SSP > +/* -fsplit-stack uses a field in the TCB at a fixed offset. This > + field is only available for glibc. Disable -fsplit-stack for > + other libc implementation to avoid silent TCB corruptions. */ > + > +#if defined (TARGET_LIBC_PROVIDES_SSP) && OPTION_GLIBC > > /* i386 glibc provides __stack_chk_guard in %gs:0x14. */ > #define TARGET_THREAD_SSP_OFFSET 0x14
"H.J. Lu" <hjl.tools@gmail.com> wrote: > OPTION_GLIBC can't be used here since OPTION_GLIBC is > evaluated at run-time: > > https://gcc.gnu.org/pipermail/gcc-regression/2022-January/076271.html Oops, my bad, sorry! This accidentally broke in one of the two cleanup commits. Originally I justed use TARGET_GLIBC_MAJOR in PATCH v1. Would that be acceptable? Greetings, Sören
diff --git a/gcc/common/config/s390/s390-common.c b/gcc/common/config/s390/s390-common.c index b6bc8501742..fc86e0bc5e7 100644 --- a/gcc/common/config/s390/s390-common.c +++ b/gcc/common/config/s390/s390-common.c @@ -116,13 +116,20 @@ s390_handle_option (struct gcc_options *opts ATTRIBUTE_UNUSED, /* -fsplit-stack uses a field in the TCB, available with glibc-2.23. We don't verify it, since earlier versions just have padding at - its place, which works just as well. */ + its place, which works just as well. For other libc implementations + we disable the feature entirely to avoid corrupting the TCB. */ static bool s390_supports_split_stack (bool report ATTRIBUTE_UNUSED, struct gcc_options *opts ATTRIBUTE_UNUSED) { - return true; + if (opts->x_linux_libc == LIBC_GLIBC) { + return true; + } else { + if (report) + error("%<-fsplit-stack%> currently only supported on GNU/Linux"); + return false; + } } #undef TARGET_DEFAULT_TARGET_FLAGS diff --git a/gcc/config/i386/gnu-user-common.h b/gcc/config/i386/gnu-user-common.h index 00226f5a455..6e13315b5a3 100644 --- a/gcc/config/i386/gnu-user-common.h +++ b/gcc/config/i386/gnu-user-common.h @@ -66,7 +66,8 @@ along with GCC; see the file COPYING3. If not see #define STACK_CHECK_STATIC_BUILTIN 1 /* We only build the -fsplit-stack support in libgcc if the - assembler has full support for the CFI directives. */ -#if HAVE_GAS_CFI_PERSONALITY_DIRECTIVE + assembler has full support for the CFI directives and + targets glibc. */ +#if HAVE_GAS_CFI_PERSONALITY_DIRECTIVE && OPTION_GLIBC #define TARGET_CAN_SPLIT_STACK #endif diff --git a/gcc/config/i386/gnu.h b/gcc/config/i386/gnu.h index 25fbc07f58c..adfe817201e 100644 --- a/gcc/config/i386/gnu.h +++ b/gcc/config/i386/gnu.h @@ -35,7 +35,11 @@ along with GCC. If not, see <http://www.gnu.org/licenses/>. crti.o%s %{static:crtbeginT.o%s;shared|pie:crtbeginS.o%s;:crtbegin.o%s}" #endif -#ifdef TARGET_LIBC_PROVIDES_SSP +/* -fsplit-stack uses a field in the TCB at a fixed offset. This + field is only available for glibc. Disable -fsplit-stack for + other libc implementation to avoid silent TCB corruptions. */ + +#if defined (TARGET_LIBC_PROVIDES_SSP) && OPTION_GLIBC /* i386 glibc provides __stack_chk_guard in %gs:0x14. */ #define TARGET_THREAD_SSP_OFFSET 0x14