From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 6596 invoked by alias); 3 Mar 2020 14:53:06 -0000 Mailing-List: contact gdb-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-owner@sourceware.org Received: (qmail 6587 invoked by uid 89); 3 Mar 2020 14:53:05 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-5.2 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=strategic, maxim, our X-HELO: mail-qk1-f175.google.com Received: from mail-qk1-f175.google.com (HELO mail-qk1-f175.google.com) (209.85.222.175) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 03 Mar 2020 14:53:04 +0000 Received: by mail-qk1-f175.google.com with SMTP id e16so3615992qkl.6 for ; Tue, 03 Mar 2020 06:53:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=embecosm.com; s=google; h=mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=JyPGNjyivAAwW1Q9zGoIXYeFfDenCnmEiD41ttdL4vA=; b=WfAS9rICu5v0egpsy3asttJVgAd1GAOhaP4zH1RuGUBqH/dTqTwhkLk8LfxNVu11Is qIgS8+Hwh0WHSx8CX28B3k/LMTcKq8A2P3Bbjlve6oTHSq1+mscgt8zTzBN9vcC7YZOS 7/cARveZ+dOAkDhD4trveYk6LbU7l1rSJf9Ndl2Xhg2088HvnmmA2nXURcl+YTJjVCQA /ebGJzbmD0ykogsLX1PAYzJt6VlFKURYkaHobSv9w8dJftOb2o/4CUcKPy7fCail7ETv ZjRiPQs9YcoEYStEH8HC1t0g9RHo4Zv0epqnom15zCa03c1+dokX70Sr+dCIWTMh6iyw seUQ== MIME-Version: 1.0 From: Maxim Blinov Date: Tue, 03 Mar 2020 14:53:00 -0000 Message-ID: Subject: use of %fs segment register in x86_64 with -fstack-check To: gdb@sourceware.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-SW-Source: 2020-03/txt/msg00002.txt Hi all, I'm looking at some -fstack-check'ed code, and would appreciate it if some gdb x86_64 gurus could double check my understanding of a trivial example here is the source: big-access.c: ``` #include #include #include extern void foo(char *); int main() { char ch[8000]; foo (ch); return 0; } ``` foo.c: ``` void foo(char *ch) { } ``` And the compilation line: $ gcc -O2 -fstack-check -o big-access big-access.c foo.c -fdump-rtl-final And here is the gdb view (ignore the breakpoint and current insn caret): ``` B+ =E2=94=820x555555554560
sub $0x2f78,%rsp =E2=94=820x555555554567 orq $0x0,0xf58(%rsp) =E2=94=820x555555554570 orq $0x0,(%rsp) =E2=94=820x555555554575 add $0x1020,%rsp =E2=94=820x55555555457c mov %rsp,%rdi =E2=94=820x55555555457f mov %fs:0x28,%rax >=E2=94=820x555555554588 mov %rax,0x1f48(%rsp) =E2=94=820x555555554590 xor %eax,%eax =E2=94=820x555555554592 callq 0x5555555546d0 =E2=94=820x555555554597 mov 0x1f48(%rsp),%rdx =E2=94=820x55555555459f xor %fs:0x28,%rdx =E2=94=820x5555555545a8 jne 0x5555555545b4 =E2=94=820x5555555545aa xor %eax,%eax =E2=94=820x5555555545ac add $0x1f58,%rsp =E2=94=820x5555555545b3 retq =E2=94=820x5555555545b4 callq 0x555555554540 <__stack_= chk_fail@plt> =E2=94=820x5555555545b9 nopl 0x0(%rax) ``` I would just like someone who knows their stuff to double check my understanding: The "orq" at the start are purposefully causing a "dummy" load/store event so the VMM can decide whether or not it is sane for us to have used those pages for the stack, right? Another question, is at address 0x55555555457f. I presume that %fs:0x28 is a memory address that points to a sentinel value. We load it into %rax, and then we store it in strategic locations in our stack to serve as sentinel values. Before we leave, we check that the memory location hasn't changed at 0x55555555459f. That implies, that the memory location %fs:0x28 is pointing to a globally-used sentinel value? But who sets %fs? Indeed what is the ABI usage of %fs in the context of linux x86_64? And why 0x28 offset? Thankyou for reading, Maxim