Recherche avancée

Sur d’autres sites (6985)

• ARM inline asm secrets

  6 juillet 2010, par Mans — ARM, Compilers

  Although I generally recommend against using GCC inline assembly, preferring instead pure assembly code in separate files, there are occasions where inline is the appropriate solution. Should one, at a time like this, turn to the GCC documentation for guidance, one must be prepared for a degree of disappointment. As it happens, much of the inline asm syntax is left entirely undocumented. This article attempts to fill in some of the blanks for the ARM target.
  

  Constraints

  Each operand of an inline asm block is described by a constraint string encoding the valid representations of the operand in the generated assembly. For example the “r” code denotes a general-purpose register. In addition to the standard constraints, ARM allows a number of special codes, only some of which are documented. The full list, including a brief description, is available in the constraints.md file in the GCC source tree. The following table is an extract from this file consisting of the codes which are meaningful in an inline asm block (a few are only useful in the machine description itself).

  f	Legacy FPA registers f0-f7.
  t	The VFP registers s0-s31.
  v	The Cirrus Maverick co-processor registers.
  w	The VFP registers d0-d15, or d0-d31 for VFPv3.
  x	The VFP registers d0-d7.
  y	The Intel iWMMX co-processor registers.
  z	The Intel iWMMX GR registers.
  l	In Thumb state the core registers r0-r7.
  h	In Thumb state the core registers r8-r15.
  j	A constant suitable for a MOVW instruction. (ARM/Thumb-2)
  b	Thumb only. The union of the low registers and the stack register.
  I	In ARM/Thumb-2 state a constant that can be used as an immediate value in a Data Processing instruction. In Thumb-1 state a constant in the range 0 to 255.
  J	In ARM/Thumb-2 state a constant in the range -4095 to 4095. In Thumb-1 state a constant in the range -255 to -1.
  K	In ARM/Thumb-2 state a constant that satisfies the I constraint if inverted. In Thumb-1 state a constant that satisfies the I constraint multiplied by any power of 2.
  L	In ARM/Thumb-2 state a constant that satisfies the I constraint if negated. In Thumb-1 state a constant in the range -7 to 7.
  M	In Thumb-1 state a constant that is a multiple of 4 in the range 0 to 1020.
  N	Thumb-1 state a constant in the range 0 to 31.
  O	In Thumb-1 state a constant that is a multiple of 4 in the range -508 to 508.
  Pa	In Thumb-1 state a constant in the range -510 to +510
  Pb	In Thumb-1 state a constant in the range -262 to +262
  Ps	In Thumb-2 state a constant in the range -255 to +255
  Pt	In Thumb-2 state a constant in the range -7 to +7
  G	In ARM/Thumb-2 state a valid FPA immediate constant.
  H	In ARM/Thumb-2 state a valid FPA immediate constant when negated.
  Da	In ARM/Thumb-2 state a const_int, const_double or const_vector that can be generated with two Data Processing insns.
  Db	In ARM/Thumb-2 state a const_int, const_double or const_vector that can be generated with three Data Processing insns.
  Dc	In ARM/Thumb-2 state a const_int, const_double or const_vector that can be generated with four Data Processing insns. This pattern is disabled if optimizing for space or when we have load-delay slots to fill.
  Dn	In ARM/Thumb-2 state a const_vector which can be loaded with a Neon vmov immediate instruction.
  Dl	In ARM/Thumb-2 state a const_vector which can be used with a Neon vorr or vbic instruction.
  DL	In ARM/Thumb-2 state a const_vector which can be used with a Neon vorn or vand instruction.
  Dv	In ARM/Thumb-2 state a const_double which can be used with a VFP fconsts instruction.
  Dy	In ARM/Thumb-2 state a const_double which can be used with a VFP fconstd instruction.
  Ut	In ARM/Thumb-2 state an address valid for loading/storing opaque structure types wider than TImode.
  Uv	In ARM/Thumb-2 state a valid VFP load/store address.
  Uy	In ARM/Thumb-2 state a valid iWMMX load/store address.
  Un	In ARM/Thumb-2 state a valid address for Neon doubleword vector load/store instructions.
  Um	In ARM/Thumb-2 state a valid address for Neon element and structure load/store instructions.
  Us	In ARM/Thumb-2 state a valid address for non-offset loads/stores of quad-word values in four ARM registers.
  Uq	In ARM state an address valid in ldrsb instructions.
  Q	In ARM/Thumb-2 state an address that is a single base register.

  Operand codes

  Within the text of an inline asm block, operands are referenced as %0, %1 etc. Register operands are printed as rN, memory operands as [rN, #offset], and so forth. In some situations, for example with operands occupying multiple registers, more detailed control of the output may be required, and once again, an undocumented feature comes to our rescue.

  Special code letters inserted between the % and the operand number alter the output from the default for each type of operand. The table below lists the more useful ones.

  c	An integer or symbol address without a preceding # sign
  B	Bitwise inverse of integer or symbol without a preceding #
  L	The low 16 bits of an immediate constant
  m	The base register of a memory operand
  M	A register range suitable for LDM/STM
  H	The highest-numbered register of a pair
  Q	The least significant register of a pair
  R	The most significant register of a pair
  P	A double-precision VFP register
  p	The high single-precision register of a VFP double-precision register
  q	A NEON quad register
  e	The low doubleword register of a NEON quad register
  f	The high doubleword register of a NEON quad register
  h	A range of VFP/NEON registers suitable for VLD1/VST1
  A	A memory operand for a VLD1/VST1 instruction
  y	S register as indexed D register, e.g. s5 becomes d2[1]

• Revision 44566 : Eviter de casser la compression js dans le public Apparemment ne casse ...

  12 février 2011, par kent1@… — Log

  Eviter de casser la compression js dans le public Apparemment ne casse rien de spécial ... à vérifier…

• Heroic Defender of the Stack

  27 janvier 2011, par Multimedia Mike — Programming

  Problem Statement

  I have been investigating stack smashing and countermeasures (stack smashing prevention, or SSP). Briefly, stack smashing occurs when a function allocates a static array on the stack and writes past the end of it, onto other local variables and eventually onto other function stack frames. When it comes time to return from the function, the return address has been corrupted and the program ends up some place it really shouldn’t. In the best case, the program just crashes ; in the worst case, a malicious party crafts code to exploit this malfunction.

  Further, debugging such a problem is especially obnoxious because by the time the program has crashed, it has already trashed any record (on the stack) of how it got into the errant state.

  Preventative Countermeasure

  GCC has had SSP since version 4.1. The computer inserts SSP as additional code when the -fstack-protector command line switch is specified. Implementation-wise, SSP basically inserts a special value (the literature refers to this as the ’canary’ as in "canary in the coalmine") at the top of the stack frame when entering the function, and code before leaving the function to make sure the canary didn’t get stepped on. If something happens to the canary, the program is immediately aborted with a message to stderr about what happened. Further, gcc’s man page on my Ubuntu machine proudly trumpets that this functionality is enabled per default ever since Ubuntu 6.10.

  And that’s really all there is to it. Your code is safe from stack smashing by default. Or so the hand-wavy documentation would have you believe.

  Not exactly

  Exercising the SSP

  I wanted to see the SSP in action to make sure it was a real thing. So I wrote some code that smashes the stack in pretty brazen ways so that I could reasonably expect to trigger the SSP (see later in this post for the code). Here’s what I learned that wasn’t in any documentation :

  SSP is only emitted for functions that have static arrays of 8-bit data (i.e., [unsigned] chars). If you have static arrays of other data types (like, say, 32-bit ints), those are still fair game for stack smashing.

  Evaluating the security vs. speed/code size trade-offs, it makes sense that the compiler wouldn’t apply this protection everywhere (I can only muse about how my optimization-obsessive multimedia hacking colleagues would absolute freak out if this code were unilaterally added to all functions). So why are only static char arrays deemed to be "vulnerable objects" (the wording that the gcc man page uses) ? A security hacking colleague suggested that this is probably due to the fact that the kind of data which poses the highest risk is arrays of 8-bit input data from, e.g., network sources.

  The gcc man page also lists an option -fstack-protector-all that is supposed to protect all functions. The man page’s definition of "all functions" perhaps differs from my own since invoking the option does not have differ in result from plain, vanilla -fstack-protector.

  The Valgrind Connection

  "Memory trouble ? Run Valgrind !" That may as well be Valgrind’s marketing slogan. Indeed, it’s the go-to utility for finding troublesome memory-related problems and has saved me on a number of occasions. However, it must be noted that it is useless for debugging this type of problem. If you understand how Valgrind works, this makes perfect sense. Valgrind operates by watching all memory accesses and ensuring that the program is only accessing memory to which it has privileges. In the stack smashing scenario, the program is fully allowed to write to that stack space ; after all, the program recently, legitimately pushed that return value onto the stack when calling the errant, stack smashing function.

  Valgrind embodies a suite of tools. My idea for an addition to this suite would be a mechanism which tracks return values every time a call instruction is encountered. The tool could track the return values in a separate stack data structure, though this might have some thorny consequences for some more unusual program flows. Instead, it might track them in some kind of hash/dictionary data structure and warn the programmer whenever a ’ret’ instruction is returning to an address that isn’t in the dictionary.

  Simple Stack Smashing Code

  Here’s the code I wrote to test exactly how SSP gets invoked in gcc. Compile with ’gcc -g -O0 -Wall -fstack-protector-all -Wstack-protector stack-fun.c -o stack-fun’.

  stack-fun.c :

  PLAIN TEXT

  C :

  1. /* keep outside of the stack frame */
  2. static int i ;
  3.  
  4. void stack_smasher32(void)
  5. {
  6.  int buffer32[8] ;
  7.  // uncomment this array and compile without optimizations
  8.  // in order to force this function to compile with SSP
  9. // char buffer_to_trigger_ssp[8] ;
  10.  
  11.  for (i = 0 ; i <50 ; i++)
  12.   buffer32[i] = 0xA5 ;
  13. }
  14.  
  15. void stack_smasher8(void)
  16. {
  17.  char buffer8[8] ;
  18.  for (i = 0 ; i <50 ; i++)
  19.   buffer8[i] = 0xA5 ;
  20. }
  21.  
  22. int main()
  23. {
  24. // stack_smasher8() ;
  25.  stack_smasher32() ;
  26.  return 0 ;
  27. }

  The above incarnation should just produce the traditional "Segmentation fault". However, uncommenting and executing stack_smasher8() in favor of stack_smasher32() should result in "*** stack smashing detected *** : ./stack-fun terminated", followed by the venerable "Segmentation fault".

  As indicated in the comments for stack_smasher32(), it’s possible to trick the compiler into emitting SSP for a function by inserting an array of at least 8 bytes (any less and SSP won’t emit, as documented, unless gcc’s ssp-buffer-size parameter is tweaked). This has to be compiled with no optimization at all (-O0) or else the compiler will (quite justifiably) optimize away the unused buffer and omit SSP.

  For reference, I ran my tests on Ubuntu 10.04.1 with gcc 4.4.3 compiling the code for both x86_32 and x86_64.