[ARM] Intermittent stack smashing in signal_handler_worker with -fstack_protect and -D_FORTIFY_SOURCE=2 option enabled. #9664
Description
There are intermittent stack smashing errors that occur during long time application testing:
*** stack smashing detected ***: com.app.app terminated
======= Backtrace: =========
/lib/libc.so.6(+0x410e83e0)[0xb61b43e0]
/lib/libc.so.6(__fortify_fail+0x44)[0xb6235100]
/lib/libc.so.6(__stack_chk_fail+0x14)[0xb62350b8]
/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.0/libclrjit.so(+0x1014a8)[0xb09004a8] (signal_handler_worker + 124)
/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.0/libclrjit.so(+0x129bb2)[0xb0928bb2] (CallSignalHandlerWrapper0 + 6)
signal_handler_worker disassembly:
.text:0010142C signal_handler_worker ; CODE XREF: CallSignalHandlerWrapper0+2�p
.text:0010142C ; CallSignalHandlerWrapper4+2�p
.text:0010142C ; DATA XREF: ...
.text:0010142C
.text:0010142C set = -0x90
.text:0010142C var_10 = -0x10
.text:0010142C
.text:0010142C PUSH.W {R4-R10,LR}
.text:00101430 ADD R7, SP, #0xC
.text:00101432 SUB SP, SP, #0x90
.text:00101434 MOV R9, R0
.text:00101436 LDR R0, =(__stack_chk_guard_ptr - 0x101440)
.text:00101438 ADD R5, SP, #0x9C+set
.text:0010143A MOV R4, R3
.text:0010143C ADD R0, PC ; __stack_chk_guard_ptr
.text:0010143E MOV R8, R2
.text:00101440 MOV R6, R1
.text:00101442 LDR R0, [R0] ; __stack_chk_guard
.text:00101444 LDR R0, [R0]
.text:00101446 STR R0, [SP,#0x9C+var_10]
.text:00101448 MOV R0, R5 ; set
.text:0010144A BLX sigemptyset
.text:0010144E BLX __libc_current_sigrtmin
.text:00101452 MOV R1, R0 ; signo
.text:00101454 MOV R0, R5 ; set
.text:00101456 BLX sigaddset
.text:0010145A MOVS R0, dotnet/coreclr#1 ; how
.text:0010145C MOV R1, R5 ; newmask
.text:0010145E MOVS R2, #0 ; oldmask
.text:00101460 MOV.W R10, #0
.text:00101464 BLX pthread_sigmask
.text:00101468 LDR R0, [R6,#0xC]
.text:0010146A MOV R1, R6 ; siginfo_t *
.text:0010146C MOV R2, R8 ; void *
.text:0010146E MOVS R3, dotnet/coreclr#2 ; int
.text:00101470 STRD.W R10, R0, [SP]
.text:00101474 MOV R0, R9 ; int
.text:00101476 BL _ZL21common_signal_handleriP9siginfo_tPviz ; common_signal_handler(int,siginfo_t *,void *,int,...)
.text:0010147A STRB.W R0, [R4],#8
.text:0010147E MOVS R0, #0 ; how
.text:00101480 MOV R1, R5 ; newmask
.text:00101482 MOVS R2, #0 ; oldmask
.text:00101484 BLX pthread_sigmask
.text:00101488 MOV R0, R4
.text:0010148A MOVS R1, #0
.text:0010148C BL RtlRestoreContext
.text:00101490 LDR R0, =(__stack_chk_guard_ptr - 0x101498)
.text:00101492 LDR R1, [SP,#0x9C+var_10]
.text:00101494 ADD R0, PC ; __stack_chk_guard_ptr
.text:00101496 LDR R0, [R0] ; __stack_chk_guard
.text:00101498 LDR R0, [R0]
.text:0010149A SUBS R0, R0, R1
.text:0010149C ITT EQ
.text:0010149E ADDEQ SP, SP, #0x90
.text:001014A0 POPEQ.W {R4-R10,PC}
.text:001014A4 BLX __stack_chk_fail
.text:001014A4 ; End of function signal_handler_worker
.text:001014A4
.text:001014A4 ; ---------------------------------------------------------------------------
.text:001014A8 off_1014A8 DCD __stack_chk_guard_ptr - 0x101440
.text:001014A8 ; DATA XREF: signal_handler_worker+A�r
.text:001014AC off_1014AC DCD __stack_chk_guard_ptr - 0x101498
.text:001014AC ; DATA XREF: signal_handler_worker+64�r
.text:001014B0
Crashes occured after -fstack_protector and -D_FORTIFY_SOURCE=2 options are enabled in coreclr 2.0.0.
Seems like for some reason RtlRestoreContext changes sp and returns that lead to canary mismatch.
Have you ever seen such problem?
Thank you!