ref: b585f051c365bbada36bd066dd0a8a237fbf9dca
parent: b878d75dc2e5915eedfb79c4721481ff28251523
author: Martin Storsjö <martin@martin.st>
date: Thu May 14 09:16:22 EDT 2020
checkasm: arm: Offset the location of the stack canary reference If the maximum number of arguments (currently 15) is changed into an even number, and a function actually takes the full number of arguments, we would have the situation where the checked spot on the stack is at the same place as we store an inverted copy of it. We already allocate enough space for two values though (for stack alignment purposes, 16 bytes on arm64 and 8 bytes on arm32) so by storing the reference in the upper half of this, the lower half of it works as canary and isn't overwritten.
--- a/tests/checkasm/arm/checkasm_32.S
+++ b/tests/checkasm/arm/checkasm_32.S
@@ -96,7 +96,7 @@
@ e.g. overwriting everything with zero would be noticed.
ldr r12, [sp, r12, lsl #2]
mvn r12, r12
- str r12, [sp, #ARG_STACK_A - 8]
+ str r12, [sp, #ARG_STACK_A - 4]
mov r12, r0
mov r0, r2
@@ -108,7 +108,7 @@
@ Load the number of stack parameters, stack canary and its reference
ldr r12, [sp, #ARG_STACK_A + pushed + 8 + 4*(MAX_ARGS-4)]
ldr r2, [sp, r12, lsl #2]
- ldr r3, [sp, #ARG_STACK_A - 8]
+ ldr r3, [sp, #ARG_STACK_A - 4]
add sp, sp, #ARG_STACK_A
push {r0, r1}--- a/tests/checkasm/arm/checkasm_64.S
+++ b/tests/checkasm/arm/checkasm_64.S
@@ -131,7 +131,7 @@
// e.g. overwriting everything with zero would be noticed.
ldr x2, [sp, x2, lsl #3]
mvn x2, x2
- str x2, [sp, #ARG_STACK-16]
+ str x2, [sp, #ARG_STACK-8]
// Load the in-register arguments
mov x12, x0
@@ -145,7 +145,7 @@
// Load the number of stack parameters, stack canary and its reference
ldr w2, [x29, #16 + 8*8 + (MAX_ARGS-8)*8]
ldr x2, [sp, x2, lsl #3]
- ldr x3, [sp, #ARG_STACK-16]
+ ldr x3, [sp, #ARG_STACK-8]
add sp, sp, #ARG_STACK
stp x0, x1, [sp, #-16]!