Open Radar

 
Apple clang emits a call to ____chkstk_darwin in functions that use more than a page of stack space. This is to prevent skipping over the guard page.

When using an altstack, ____chkstk_darwin probes an unexpectedly far away location. It correctly probes a location every 0x1000 bytes from %rsp to %rsp-stack_size, but it then *incorrectly* probes a location near %rsp-stack_size*2 (which is the last probed location less stack_size).

This last probing may cause an invalid memory access. As a result, functions that use N stack space may cause the program to crash if there is less than N*2 available stack space.

How to reproduce:

- https://gist.github.com/arnaud-lb/495b5e22810e3dfe951fb42a65063e36
- cc -o test test.c
- ./test

Expected result: the program terminates normally

Actual result: zsh: bus error  ./test

The culprit seems to be that after probing every page, ___chkstk_darwin subtracts %rax (the requested stack size) from the last probed location, and probes the resulting address: https://github.com/apple-oss-distributions/libpthread/blob/e42795c13eaf5eb32ae06103b1b50caae3c01d27/src/pthread_asm.s#L99-L101

```
Lloop:
	subq   $0x1000, %rcx
	testq  %rcx, (%rcx)
	subq   $0x1000, %rax
	cmpq   $0x1000, %rax
	ja     Lloop
	popq   %rax           // %rax: requested stack size
Lend:
	subq   %rax, %rcx     // %rcx: last probed location
	testq  %rcx, (%rcx)   // invalid memory access 

	popq   %rcx
	retq
```

____chkstk_darwin is emitted by clang (Apple version only) when -fstack-check is enabled (the default).