NetBSD Problem Report #59994
From mlelstv@serpens.de Wed Feb 11 06:56:29 2026
Return-Path: <mlelstv@serpens.de>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.netbsd.org", Issuer "R13" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 31D611A923D
for <gnats-bugs@gnats.NetBSD.org>; Wed, 11 Feb 2026 06:56:29 +0000 (UTC)
Message-Id: <20260211065612.47EE173330@serpens.de>
Date: Wed, 11 Feb 2026 07:56:09 +0100 (MET)
From: mlelstv@netbsd.org
Reply-To: mlelstv@netbsd.org
To: gnats-bugs@NetBSD.org
Subject: gcc/m68k generates bad code for stack protector
X-Send-Pr-Version: 3.95
X-From4GNATS: "mlelstv@netbsd.org via gnats" <gnats-admin@NetBSD.org>
>Number: 59994
>Category: toolchain
>Synopsis: gcc/m68k generates bad code for stack protector
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kalvisd
>State: pending-pullups
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Feb 11 07:00:00 +0000 2026
>Closed-Date:
>Last-Modified: Fri Apr 03 13:05:01 +0000 2026
>Originator: Michael van Elst
>Release: NetBSD 11.0_RC1
>Organization:
--
Michael van Elst
Internet: mlelstv@serpens.de
"A potential Snark may lurk in every tree."
>Environment:
System: NetBSD serpens.de 11.0_RC1 NetBSD 11.0_RC1 (SERPENS) #0: Sat Feb 7 12:30:40 UTC 2026 root@aries.NetBSD.de:/home/netbsd/11/arch/amiga/obj/sys/arch/amiga/compile/SERPENS amiga
Architecture: m68k
Machine: amiga
>Description:
mutt from pkgsrc aborts when trying to forward a mail on a NetBSD/m68k-11.0RC1
system:
> #0 0x0ec23d8c in _lwp_kill () from /usr/lib/libc.so.12
> #1 0x0ec23702 in raise () from /usr/lib/libc.so.12
> #2 0x0ec0c274 in ?? () from /usr/lib/libc.so.12
> #3 0x0ec0c296 in __stack_chk_fail () from /usr/lib/libc.so.12
This is caused by gcc generating bad code for the stack protector.
A simple reproducer is:
#include <stdio.h>
extern void bar(const char *);
void foo(unsigned x)
{
char buf[1024];
snprintf(buf, sizeof(buf), "%u\n", x);
bar(buf);
}
Compiling with:
cc -fstack-protector -O -S c.c
generates the following code:
#NO_APP
.file "c.c"
.text
.section .rodata.str1.1,"aMS",@progbits,1
.LC0:
.string "%u\n"
.text
.align 2
.globl foo
.type foo, @function
foo:
.LFB3:
.cfi_startproc
lea (-1028,%sp),%sp
.cfi_def_cfa_offset 1032
move.l %d2,-(%sp)
.cfi_def_cfa_offset 1036
.cfi_offset 2, -1036
move.w 1028(%sp),%d0
move.w 1030(%sp),%d0
move.l __stack_chk_guard,%d0
move.l 1036(%sp),-(%sp)
.cfi_def_cfa_offset 1040
pea .LC0
.cfi_def_cfa_offset 1044
pea 1024.w
.cfi_def_cfa_offset 1048
moveq #16,%d2
add.l %sp,%d2
move.l %d2,-(%sp)
.cfi_def_cfa_offset 1052
jsr snprintf
move.l %d2,-(%sp)
.cfi_def_cfa_offset 1056
jsr bar
lea (20,%sp),%sp
.cfi_def_cfa_offset 1036
move.w 1028(%sp),%d0
swap %d0
clr.w %d0
move.w 1030(%sp),%d1
or.w %d1,%d0
move.l __stack_chk_guard,%d1
cmp.l %d1,%d0
jne .L3
move.l (%sp)+,%d2
lea (1028,%sp),%sp
rts
.L3:
jsr __stack_chk_fail
.cfi_endproc
.LFE3:
.size foo, .-foo
.ident "GCC: (nb1 20260119) 12.5.0"
The stack check code at the end of the function is bad but correct,
maybe a consequence of trying to be coldfire compatible.
- assemble 32bit value from stack
move.w 1028(%sp),%d0
swap %d0
clr.w %d0
move.w 1030(%sp),%d1
or.w %d1,%d0
- fetch 32bit guard value
move.l __stack_chk_guard,%d1
- compare both
cmp.l %d1,%d0
The setup code is nonsense:
- read 32bit value from stack, but throw it away
move.w 1028(%sp),%d0
move.w 1030(%sp),%d0
- read 32bit guard value (and don't use it either).
move.l __stack_chk_guard,%d0
Instead of seeding the longword on the stack with the random
guard value, it just _reads_ the stack and the guard value.
>How-To-Repeat:
Compile reproducer.
Adding a simple main program:
#include <stdio.h>
extern void foo(unsigned);
void bar(const char *p)
{
puts(p);
}
int main()
{
foo(42);
return 0;
}
results in an abort when compiled with stack protector:
% ./a.out
42
Abort
>Fix:
>Release-Note:
>Audit-Trail:
From: "Kalvis Duckmanton" <kalvisd@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59994 CVS commit: src/external/gpl3/gcc.old/dist/gcc
Date: Thu, 19 Mar 2026 06:16:17 +0000
Module Name: src
Committed By: kalvisd
Date: Thu Mar 19 06:16:17 UTC 2026
Modified Files:
src/external/gpl3/gcc.old/dist/gcc: cfgexpand.cc
Log Message:
PR/59994 gcc/m68k generates bad code for stack protector
Record the alignment of the stack canary before allocating space for
it in a stack frame.
Generate an assignment expression to initialise the canary instead of
emitting a move instruction.
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.2 src/external/gpl3/gcc.old/dist/gcc/cfgexpand.cc
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Responsible-Changed-From-To: toolchain-manager->kalvisd
Responsible-Changed-By: kalvisd@NetBSD.org
Responsible-Changed-When: Tue, 31 Mar 2026 01:42:44 +0000
Responsible-Changed-Why:
I'm looking into this.
State-Changed-From-To: open->pending-pullups
State-Changed-By: kalvisd@NetBSD.org
State-Changed-When: Tue, 31 Mar 2026 01:42:44 +0000
State-Changed-Why:
pullup-11 #245
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59994 CVS commit: [netbsd-11] src/external/gpl3/gcc/dist/gcc
Date: Fri, 3 Apr 2026 13:02:12 +0000
Module Name: src
Committed By: martin
Date: Fri Apr 3 13:02:12 UTC 2026
Modified Files:
src/external/gpl3/gcc/dist/gcc [netbsd-11]: cfgexpand.cc
Log Message:
Pull up following revision(s) (requested by yamt in ticket #245):
external/gpl3/gcc.old/dist/gcc/cfgexpand.cc: revision 1.2
(applied to external/gpl3/gcc/dist/gcc/cfgexpand.cc)
PR/59994 gcc/m68k generates bad code for stack protector
Record the alignment of the stack canary before allocating space for
it in a stack frame.
Generate an assignment expression to initialise the canary instead of
emitting a move instruction.
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.4.2.1 src/external/gpl3/gcc/dist/gcc/cfgexpand.cc
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2026
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home