Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 15 Nov 2018 23:51:13 +0300
From: Alexander Popov <>
To: Florian Weimer <>,
 Richard Sandiford <>
Cc: Kees Cook <>, Ingo Molnar <>,
 Andy Lutomirski <>, Tycho Andersen <>,
 Laura Abbott <>, Mark Rutland <>,
 Ard Biesheuvel <>, Borislav Petkov <>,
 Thomas Gleixner <>, "H . Peter Anvin" <>,
 Peter Zijlstra <>, Emese Revfy <>,
 Thomas Garnier <>, Alexei Starovoitov <>,
 Masami Hiramatsu <>,
 "David S . Miller" <>,
 Steven Rostedt <>,
 Dave Hansen <>, Will Deacon
 <>, Jann Horn <>,,,, LKML <>,
 "" <>
Subject: Re: Investigating a stack state mismatch in Linux kernel

On 15.11.2018 13:24, Florian Weimer wrote:
> * Alexander Popov:
>> Of course, there is a naive solution for this issue -- just skip stackleak
>> instrumentation for acpi_duplicate_processor_id(). But it would be great to find
>> out the reasons behind this compiler behavior. It might help to create a better
>> solution.
> Please show us the RTL dumps with both compilers, both before and after
> the plugin pass.

Thanks a lot for your reply, Florian!

I have more information to share.

I attach the list of gcc passes. The 'rtl-stackleak_cleanup' runs after the
'rtl-reload' pass.

I attach RTL dumps both for gcc-5 and gcc-7 for:
  - 'rtl-reload' pass,
  - 'rtl-stackleak_cleanup' pass,
  - 'rtl-pro_and_epilogue' pass.

I've found out that for gcc-5:
  - if I put the 'rtl-stackleak_cleanup' pass (deleting CALL insn) *before* the
'rtl-pro_and_epilogue' pass, objtool reports about stack state mismatch in
  - if I put the 'rtl-stackleak_cleanup' pass *after* the 'rtl-pro_and_epilogue'
pass, objtool *doesn't* report about stack state mismatch.

So gcc-5 does some mistake during the 'rtl-pro_and_epilogue' pass. And gcc-7
doesn't have this issue.

In the original grsecurity code the stackleak RTL pass was registered just
before the 'rtl-final' pass. Some time ago Richard Sandiford noted that:

>>> This might be too late, since it happens e.g. after addresses have
>>> been calculated for branch ranges, and after machine-specific passes
>>> (e.g. bundling on ia64).
>>> The stack size is final after reload, so inserting the pass after that
>>> might be better.

So what is the best moment when we know the stack frame size and can safely
delete the CALL insn using delete_insn_and_edges()?


Best regards,

View attachment "gcc5-after-stackleak_cleanup.txt" of type "text/plain" (8078 bytes)

View attachment "gcc5-after-reload.txt" of type "text/plain" (16996 bytes)

View attachment "gcc5-after-pro_and_epilogue.txt" of type "text/plain" (10318 bytes)

View attachment "gcc7-after-stackleak_cleanup.txt" of type "text/plain" (8192 bytes)

View attachment "gcc7-after-reload.txt" of type "text/plain" (19210 bytes)

View attachment "gcc7-after-pro_and_epilogue.txt" of type "text/plain" (11195 bytes)

View attachment "gcc-passes.txt" of type "text/plain" (20714 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.