libc 在哪些平台上将堆栈 cookie 值存储在 __stack_chk_guard 以外的位置？

Question

例如，Linux/i386 上的 glibc 将 cookie 存储在 %gs:0x14 处。除了 __stack_chk_guard 符号之外，是否还有其他平台需要我查看其他地方才能找到 cookie？

（这是 gcc -fstack-protector 生成的代码在函数序言中将值存储到堆栈上的位置，并在返回之前进行检查以防止堆栈崩溃）。

Answer 1

从 gcc 源代码中定义 TARGET_THREAD_SSP_OFFSET 的 grep -B1 （或者使用 google codesearch http://www.google.com/codesearch?q=TARGET_THREAD_SSP_OFFSET&exact_package=http%3A%2F%2Fmosync。 googlecode.com%2Fsvn&hl=en ）

gcc4/trunk/gcc-4.4.3/gcc/config/sparc/linux.h 
   168: /* sparc glibc provides __stack_chk_guard in [%g7 + 0x14].  */
   169: #define TARGET_THREAD_SSP_OFFSET        0x14

gcc4/trunk/gcc-4.4.3/gcc/config/sparc/linux64.h 
   302:    sparc64 glibc provides it at [%g7 + 0x28].  */
   303: #define TARGET_THREAD_SSP_OFFSET        (TARGET_ARCH64 ? 0x28 : 0x14)

gcc4/trunk/gcc-4.4.3/gcc/config/s390/linux.h 
    98:    s390x glibc provides it at 0x28(tp).  */
    99: #define TARGET_THREAD_SSP_OFFSET        (TARGET_64BIT ? 0x28 : 0x14)

gcc4/trunk/gcc-4.4.3/gcc/config/i386/linux.h 
   214: /* i386 glibc provides __stack_chk_guard in %gs:0x14.  */
   215: #define TARGET_THREAD_SSP_OFFSET        0x14

gcc4/trunk/gcc-4.4.3/gcc/config/rs6000/linux.h 
   121: /* ppc32 glibc provides __stack_chk_guard in -0x7008(2).  */
   122: #define TARGET_THREAD_SSP_OFFSET        -0x7008

gcc4/trunk/gcc-4.4.3/gcc/config/rs6000/linux64.h 
   525:    ppc64 glibc provides it at -0x7010(13).  */
   526: #define TARGET_THREAD_SSP_OFFSET        (TARGET_64BIT ? -0x7010 : -0x7008)

gcc4/trunk/gcc-4.4.3/gcc/config/i386/linux64.h 
   118:    x86_64 glibc provides it in %fs:0x28.  */
   119: #define TARGET_THREAD_SSP_OFFSET        (TARGET_64BIT ? 0x28 : 0x14)

对于 glibc：
http://www.google .com/codesearch/p?hl=en#xy1xtVWIKOQ/pub/glibc/snapshots/glibc-latest.tar.bz2%7CXP6Z3zoy3dk/glibc-20090518/elf/stackguard-macros.h&q=stack_chk_guard&exact_package=ftp:/ /sources.redhat.com/pub/glibc/snapshots/glibc-latest.tar.bz2&l=8

#ifdef __i386__
# define STACK_CHK_GUARD \
  ({ uintptr_t x; asm ("movl %%gs:0x14, %0" : "=r" (x)); x; })
#elif defined __x86_64__
# define STACK_CHK_GUARD \
  ({ uintptr_t x; asm ("movq %%fs:0x28, %0" : "=r" (x)); x; })
#elif defined __powerpc64__
# define STACK_CHK_GUARD \
  ({ uintptr_t x; asm ("ld %0,-28688(13)" : "=r" (x)); x; })
#elif defined __powerpc__
# define STACK_CHK_GUARD \
  ({ uintptr_t x; asm ("lwz %0,-28680(2)" : "=r" (x)); x; })
#elif defined __sparc__ && defined __arch64__
# define STACK_CHK_GUARD \
  ({ uintptr_t x; asm ("ldx [%%g7+0x28], %0" : "=r" (x)); x; })
#elif defined __sparc__
# define STACK_CHK_GUARD \
  ({ uintptr_t x; asm ("ld [%%g7+0x14], %0" : "=r" (x)); x; })
#elif defined __s390x__
# define STACK_CHK_GUARD \
  ({ uintptr_t x; asm ("ear %0,%%a0; sllg %0,%0,32; ear %0,%%a1; lg %0,0x28(%0)" : "=a" (x)); x; })
#elif defined __s390__
# define STACK_CHK_GUARD \
  ({ uintptr_t x; asm ("ear %0,%%a0; l %0,0x14(%0)" : "=a" (x)); x; })
#elif defined __ia64__
# define STACK_CHK_GUARD \
  ({ uintptr_t x; asm ("adds %0 = -8, r13;; ld8 %0 = [%0]" : "=r" (x)); x; })
#else
extern uintptr_t __stack_chk_guard;
# define STACK_CHK_GUARD __stack_chk_guard
#endif

所以，看起来 gcc & glibc 始终对主要平台使用相同的位置，可通过 STACK_CHK_GUARD 宏进行访问