Patch-Source: https://github.com/php/php-src/pull/10407 From a9eed6038b37cfe55ca1ba8d389a1fadd1b78937 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sat, 21 Jan 2023 20:49:31 +0100 Subject: [PATCH] Sync boost/context assembly files for fibers Fixes GH-10398 The stack was misaligned upon entering the trampoline function [1], this causes a CPU trap when the SSE instruction is executed to copy data from the stack. This was fixed upstream [2]. This commit syncs all upstream changes from the boost/context assembly files to our copy. [1] https://github.com/php/php-src/pull/10407#issuecomment-1404180877 [2] https://github.com/boostorg/context/pull/219 --- Zend/asm/jump_i386_sysv_elf_gas.S | 44 ++++--- Zend/asm/jump_ppc32_sysv_macho_gas.S | 184 +++++++++++++-------------- Zend/asm/jump_ppc64_sysv_macho_gas.S | 18 +-- Zend/asm/jump_x86_64_sysv_elf_gas.S | 79 +++++++++--- Zend/asm/make_i386_sysv_elf_gas.S | 26 ++-- Zend/asm/make_i386_sysv_macho_gas.S | 4 +- Zend/asm/make_ppc32_sysv_macho_gas.S | 83 +++++++----- Zend/asm/make_ppc64_sysv_macho_gas.S | 16 +-- Zend/asm/make_x86_64_sysv_elf_gas.S | 71 ++++++++++- 9 files changed, 330 insertions(+), 195 deletions(-) diff --git a/Zend/asm/jump_i386_sysv_elf_gas.S b/Zend/asm/jump_i386_sysv_elf_gas.S index b96d4b5c0e70..47be9e77822e 100644 --- a/Zend/asm/jump_i386_sysv_elf_gas.S +++ b/Zend/asm/jump_i386_sysv_elf_gas.S @@ -12,14 +12,14 @@ * ---------------------------------------------------------------------------------- * * | 0x0 | 0x4 | 0x8 | 0xc | 0x10 | 0x14 | 0x18 | 0x1c | * * ---------------------------------------------------------------------------------- * - * | fc_mxcsr|fc_x87_cw| EDI | ESI | EBX | EBP | EIP | hidden | * + * | fc_mxcsr|fc_x87_cw| guard | EDI | ESI | EBX | EBP | EIP | * * ---------------------------------------------------------------------------------- * * ---------------------------------------------------------------------------------- * * | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | * * ---------------------------------------------------------------------------------- * - * | 0x20 | 0x24 | | * + * | 0x20 | 0x24 | 0x28 | | * * ---------------------------------------------------------------------------------- * - * | to | data | | * + * | hidden | to | data | | * * ---------------------------------------------------------------------------------- * * * ****************************************************************************************/ @@ -30,50 +30,60 @@ .align 2 .type jump_fcontext,@function jump_fcontext: - leal -0x18(%esp), %esp /* prepare stack */ + leal -0x1c(%esp), %esp /* prepare stack */ #if !defined(BOOST_USE_TSX) stmxcsr (%esp) /* save MMX control- and status-word */ fnstcw 0x4(%esp) /* save x87 control-word */ #endif - movl %edi, 0x8(%esp) /* save EDI */ - movl %esi, 0xc(%esp) /* save ESI */ - movl %ebx, 0x10(%esp) /* save EBX */ - movl %ebp, 0x14(%esp) /* save EBP */ +#if defined(BOOST_CONTEXT_TLS_STACK_PROTECTOR) + movl %gs:0x14, %ecx /* read stack guard from TLS record */ + movl %ecx, 0x8(%esp) /* save stack guard */ +#endif + + movl %edi, 0xc(%esp) /* save EDI */ + movl %esi, 0x10(%esp) /* save ESI */ + movl %ebx, 0x14(%esp) /* save EBX */ + movl %ebp, 0x18(%esp) /* save EBP */ /* store ESP (pointing to context-data) in ECX */ movl %esp, %ecx /* first arg of jump_fcontext() == fcontext to jump to */ - movl 0x20(%esp), %eax + movl 0x24(%esp), %eax /* second arg of jump_fcontext() == data to be transferred */ - movl 0x24(%esp), %edx + movl 0x28(%esp), %edx /* restore ESP (pointing to context-data) from EAX */ movl %eax, %esp /* address of returned transport_t */ - movl 0x1c(%esp), %eax + movl 0x20(%esp), %eax /* return parent fcontext_t */ movl %ecx, (%eax) /* return data */ movl %edx, 0x4(%eax) - movl 0x18(%esp), %ecx /* restore EIP */ + movl 0x1c(%esp), %ecx /* restore EIP */ #if !defined(BOOST_USE_TSX) ldmxcsr (%esp) /* restore MMX control- and status-word */ fldcw 0x4(%esp) /* restore x87 control-word */ #endif - movl 0x8(%esp), %edi /* restore EDI */ - movl 0xc(%esp), %esi /* restore ESI */ - movl 0x10(%esp), %ebx /* restore EBX */ - movl 0x14(%esp), %ebp /* restore EBP */ +#if defined(BOOST_CONTEXT_TLS_STACK_PROTECTOR) + movl 0x8(%esp), %edx /* load stack guard */ + movl %edx, %gs:0x14 /* restore stack guard to TLS record */ +#endif + + movl 0xc(%esp), %edi /* restore EDI */ + movl 0x10(%esp), %esi /* restore ESI */ + movl 0x14(%esp), %ebx /* restore EBX */ + movl 0x18(%esp), %ebp /* restore EBP */ - leal 0x20(%esp), %esp /* prepare stack */ + leal 0x24(%esp), %esp /* prepare stack */ /* jump to context */ jmp *%ecx diff --git a/Zend/asm/jump_ppc32_sysv_macho_gas.S b/Zend/asm/jump_ppc32_sysv_macho_gas.S index c555237afa2e..fef90c295f8c 100644 --- a/Zend/asm/jump_ppc32_sysv_macho_gas.S +++ b/Zend/asm/jump_ppc32_sysv_macho_gas.S @@ -80,122 +80,122 @@ _jump_fcontext: ; reserve space on stack subi r1, r1, 244 - stfd f14, 0(r1) # save F14 - stfd f15, 8(r1) # save F15 - stfd f16, 16(r1) # save F16 - stfd f17, 24(r1) # save F17 - stfd f18, 32(r1) # save F18 - stfd f19, 40(r1) # save F19 - stfd f20, 48(r1) # save F20 - stfd f21, 56(r1) # save F21 - stfd f22, 64(r1) # save F22 - stfd f23, 72(r1) # save F23 - stfd f24, 80(r1) # save F24 - stfd f25, 88(r1) # save F25 - stfd f26, 96(r1) # save F26 - stfd f27, 104(r1) # save F27 - stfd f28, 112(r1) # save F28 - stfd f29, 120(r1) # save F29 - stfd f30, 128(r1) # save F30 - stfd f31, 136(r1) # save F31 - mffs f0 # load FPSCR - stfd f0, 144(r1) # save FPSCR + stfd f14, 0(r1) ; save F14 + stfd f15, 8(r1) ; save F15 + stfd f16, 16(r1) ; save F16 + stfd f17, 24(r1) ; save F17 + stfd f18, 32(r1) ; save F18 + stfd f19, 40(r1) ; save F19 + stfd f20, 48(r1) ; save F20 + stfd f21, 56(r1) ; save F21 + stfd f22, 64(r1) ; save F22 + stfd f23, 72(r1) ; save F23 + stfd f24, 80(r1) ; save F24 + stfd f25, 88(r1) ; save F25 + stfd f26, 96(r1) ; save F26 + stfd f27, 104(r1) ; save F27 + stfd f28, 112(r1) ; save F28 + stfd f29, 120(r1) ; save F29 + stfd f30, 128(r1) ; save F30 + stfd f31, 136(r1) ; save F31 + mffs f0 ; load FPSCR + stfd f0, 144(r1) ; save FPSCR - stw r13, 152(r1) # save R13 - stw r14, 156(r1) # save R14 - stw r15, 160(r1) # save R15 - stw r16, 164(r1) # save R16 - stw r17, 168(r1) # save R17 - stw r18, 172(r1) # save R18 - stw r19, 176(r1) # save R19 - stw r20, 180(r1) # save R20 - stw r21, 184(r1) # save R21 - stw r22, 188(r1) # save R22 - stw r23, 192(r1) # save R23 - stw r24, 196(r1) # save R24 - stw r25, 200(r1) # save R25 - stw r26, 204(r1) # save R26 - stw r27, 208(r1) # save R27 - stw r28, 212(r1) # save R28 - stw r29, 216(r1) # save R29 - stw r30, 220(r1) # save R30 - stw r31, 224(r1) # save R31 - stw r3, 228(r1) # save hidden + stw r13, 152(r1) ; save R13 + stw r14, 156(r1) ; save R14 + stw r15, 160(r1) ; save R15 + stw r16, 164(r1) ; save R16 + stw r17, 168(r1) ; save R17 + stw r18, 172(r1) ; save R18 + stw r19, 176(r1) ; save R19 + stw r20, 180(r1) ; save R20 + stw r21, 184(r1) ; save R21 + stw r22, 188(r1) ; save R22 + stw r23, 192(r1) ; save R23 + stw r24, 196(r1) ; save R24 + stw r25, 200(r1) ; save R25 + stw r26, 204(r1) ; save R26 + stw r27, 208(r1) ; save R27 + stw r28, 212(r1) ; save R28 + stw r29, 216(r1) ; save R29 + stw r30, 220(r1) ; save R30 + stw r31, 224(r1) ; save R31 + stw r3, 228(r1) ; save hidden - # save CR + ; save CR mfcr r0 stw r0, 232(r1) - # save LR + ; save LR mflr r0 stw r0, 236(r1) - # save LR as PC + ; save LR as PC stw r0, 240(r1) - # store RSP (pointing to context-data) in R6 + ; store RSP (pointing to context-data) in R6 mr r6, r1 - # restore RSP (pointing to context-data) from R4 + ; restore RSP (pointing to context-data) from R4 mr r1, r4 - lfd f14, 0(r1) # restore F14 - lfd f15, 8(r1) # restore F15 - lfd f16, 16(r1) # restore F16 - lfd f17, 24(r1) # restore F17 - lfd f18, 32(r1) # restore F18 - lfd f19, 40(r1) # restore F19 - lfd f20, 48(r1) # restore F20 - lfd f21, 56(r1) # restore F21 - lfd f22, 64(r1) # restore F22 - lfd f23, 72(r1) # restore F23 - lfd f24, 80(r1) # restore F24 - lfd f25, 88(r1) # restore F25 - lfd f26, 96(r1) # restore F26 - lfd f27, 104(r1) # restore F27 - lfd f28, 112(r1) # restore F28 - lfd f29, 120(r1) # restore F29 - lfd f30, 128(r1) # restore F30 - lfd f31, 136(r1) # restore F31 - lfd f0, 144(r1) # load FPSCR - mtfsf 0xff, f0 # restore FPSCR + lfd f14, 0(r1) ; restore F14 + lfd f15, 8(r1) ; restore F15 + lfd f16, 16(r1) ; restore F16 + lfd f17, 24(r1) ; restore F17 + lfd f18, 32(r1) ; restore F18 + lfd f19, 40(r1) ; restore F19 + lfd f20, 48(r1) ; restore F20 + lfd f21, 56(r1) ; restore F21 + lfd f22, 64(r1) ; restore F22 + lfd f23, 72(r1) ; restore F23 + lfd f24, 80(r1) ; restore F24 + lfd f25, 88(r1) ; restore F25 + lfd f26, 96(r1) ; restore F26 + lfd f27, 104(r1) ; restore F27 + lfd f28, 112(r1) ; restore F28 + lfd f29, 120(r1) ; restore F29 + lfd f30, 128(r1) ; restore F30 + lfd f31, 136(r1) ; restore F31 + lfd f0, 144(r1) ; load FPSCR + mtfsf 0xff, f0 ; restore FPSCR - lwz r13, 152(r1) # restore R13 - lwz r14, 156(r1) # restore R14 - lwz r15, 160(r1) # restore R15 - lwz r16, 164(r1) # restore R16 - lwz r17, 168(r1) # restore R17 - lwz r18, 172(r1) # restore R18 - lwz r19, 176(r1) # restore R19 - lwz r20, 180(r1) # restore R20 - lwz r21, 184(r1) # restore R21 - lwz r22, 188(r1) # restore R22 - lwz r23, 192(r1) # restore R23 - lwz r24, 196(r1) # restore R24 - lwz r25, 200(r1) # restore R25 - lwz r26, 204(r1) # restore R26 - lwz r27, 208(r1) # restore R27 - lwz r28, 212(r1) # restore R28 - lwz r29, 216(r1) # restore R29 - lwz r30, 220(r1) # restore R30 - lwz r31, 224(r1) # restore R31 - lwz r3, 228(r1) # restore hidden + lwz r13, 152(r1) ; restore R13 + lwz r14, 156(r1) ; restore R14 + lwz r15, 160(r1) ; restore R15 + lwz r16, 164(r1) ; restore R16 + lwz r17, 168(r1) ; restore R17 + lwz r18, 172(r1) ; restore R18 + lwz r19, 176(r1) ; restore R19 + lwz r20, 180(r1) ; restore R20 + lwz r21, 184(r1) ; restore R21 + lwz r22, 188(r1) ; restore R22 + lwz r23, 192(r1) ; restore R23 + lwz r24, 196(r1) ; restore R24 + lwz r25, 200(r1) ; restore R25 + lwz r26, 204(r1) ; restore R26 + lwz r27, 208(r1) ; restore R27 + lwz r28, 212(r1) ; restore R28 + lwz r29, 216(r1) ; restore R29 + lwz r30, 220(r1) ; restore R30 + lwz r31, 224(r1) ; restore R31 + lwz r3, 228(r1) ; restore hidden - # restore CR + ; restore CR lwz r0, 232(r1) mtcr r0 - # restore LR + ; restore LR lwz r0, 236(r1) mtlr r0 - # load PC + ; load PC lwz r0, 240(r1) - # restore CTR + ; restore CTR mtctr r0 - # adjust stack + ; adjust stack addi r1, r1, 244 - # return transfer_t + ; return transfer_t stw r6, 0(r3) stw r5, 4(r3) - # jump to context + ; jump to context bctr diff --git a/Zend/asm/jump_ppc64_sysv_macho_gas.S b/Zend/asm/jump_ppc64_sysv_macho_gas.S index 74fcb2ab3528..dcc6c645db61 100644 --- a/Zend/asm/jump_ppc64_sysv_macho_gas.S +++ b/Zend/asm/jump_ppc64_sysv_macho_gas.S @@ -12,7 +12,7 @@ * ------------------------------------------------- * * | 0 | 4 | 8 | 12 | 16 | 20 | 24 | 28 | * * ------------------------------------------------- * - * | TOC | R14 | R15 | R16 | * + * | R13 | R14 | R15 | R16 | * * ------------------------------------------------- * * ------------------------------------------------- * * | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | * @@ -61,7 +61,7 @@ * ------------------------------------------------- * * | 224 | 228 | 232 | 236 | 240 | 244 | 248 | 252 | * * ------------------------------------------------- * - * | TOC saved | FCTX | DATA | | * + * | FCTX | DATA | | | * * ------------------------------------------------- * * * *******************************************************/ @@ -138,27 +138,27 @@ _jump_fcontext: ; load PC ld r12, 176(r1) - # restore CTR + ; restore CTR mtctr r12 - # adjust stack + ; adjust stack addi r1, r1, 184 - # zero in r3 indicates first jump to context-function + ; zero in r3 indicates first jump to context-function cmpdi r3, 0 beq use_entry_arg - # return transfer_t + ; return transfer_t std r6, 0(r3) std r5, 8(r3) - # jump to context + ; jump to context bctr use_entry_arg: - # copy transfer_t into transfer_fn arg registers + ; copy transfer_t into transfer_fn arg registers mr r3, r6 mr r4, r5 - # jump to context + ; jump to context bctr diff --git a/Zend/asm/jump_x86_64_sysv_elf_gas.S b/Zend/asm/jump_x86_64_sysv_elf_gas.S index c675c8c774c2..58f0e241d70f 100644 --- a/Zend/asm/jump_x86_64_sysv_elf_gas.S +++ b/Zend/asm/jump_x86_64_sysv_elf_gas.S @@ -12,20 +12,29 @@ * ---------------------------------------------------------------------------------- * * | 0x0 | 0x4 | 0x8 | 0xc | 0x10 | 0x14 | 0x18 | 0x1c | * * ---------------------------------------------------------------------------------- * - * | fc_mxcsr|fc_x87_cw| R12 | R13 | R14 | * + * | fc_mxcsr|fc_x87_cw| guard | R12 | R13 | * * ---------------------------------------------------------------------------------- * * ---------------------------------------------------------------------------------- * * | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | * * ---------------------------------------------------------------------------------- * * | 0x20 | 0x24 | 0x28 | 0x2c | 0x30 | 0x34 | 0x38 | 0x3c | * * ---------------------------------------------------------------------------------- * - * | R15 | RBX | RBP | RIP | * + * | R14 | R15 | RBX | RBP | * + * ---------------------------------------------------------------------------------- * + * ---------------------------------------------------------------------------------- * + * | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | * + * ---------------------------------------------------------------------------------- * + * | 0x40 | 0x44 | | * + * ---------------------------------------------------------------------------------- * + * | RIP | | * * ---------------------------------------------------------------------------------- * * * ****************************************************************************************/ # if defined __CET__ # include +# define SHSTK_ENABLED (__CET__ & 0x2) +# define BOOST_CONTEXT_SHADOW_STACK (SHSTK_ENABLED && SHADOW_STACK_SYSCALL) # else # define _CET_ENDBR # endif @@ -36,19 +45,32 @@ .align 16 jump_fcontext: _CET_ENDBR - leaq -0x38(%rsp), %rsp /* prepare stack */ + leaq -0x40(%rsp), %rsp /* prepare stack */ #if !defined(BOOST_USE_TSX) stmxcsr (%rsp) /* save MMX control- and status-word */ fnstcw 0x4(%rsp) /* save x87 control-word */ #endif - movq %r12, 0x8(%rsp) /* save R12 */ - movq %r13, 0x10(%rsp) /* save R13 */ - movq %r14, 0x18(%rsp) /* save R14 */ - movq %r15, 0x20(%rsp) /* save R15 */ - movq %rbx, 0x28(%rsp) /* save RBX */ - movq %rbp, 0x30(%rsp) /* save RBP */ +#if defined(BOOST_CONTEXT_TLS_STACK_PROTECTOR) + movq %fs:0x28, %rcx /* read stack guard from TLS record */ + movq %rcx, 0x8(%rsp) /* save stack guard */ +#endif + + movq %r12, 0x10(%rsp) /* save R12 */ + movq %r13, 0x18(%rsp) /* save R13 */ + movq %r14, 0x20(%rsp) /* save R14 */ + movq %r15, 0x28(%rsp) /* save R15 */ + movq %rbx, 0x30(%rsp) /* save RBX */ + movq %rbp, 0x38(%rsp) /* save RBP */ + +#if BOOST_CONTEXT_SHADOW_STACK + /* grow the stack to reserve space for shadow stack pointer(SSP) */ + leaq -0x8(%rsp), %rsp + /* read the current SSP and store it */ + rdsspq %rcx + movq %rcx, (%rsp) +#endif /* store RSP (pointing to context-data) in RAX */ movq %rsp, %rax @@ -56,21 +78,44 @@ jump_fcontext: /* restore RSP (pointing to context-data) from RDI */ movq %rdi, %rsp - movq 0x38(%rsp), %r8 /* restore return-address */ +#if BOOST_CONTEXT_SHADOW_STACK + /* first 8 bytes are SSP */ + movq (%rsp), %rcx + leaq 0x8(%rsp), %rsp + + /* Restore target(new) shadow stack */ + rstorssp -8(%rcx) + /* restore token for previous shadow stack is pushed */ + /* on previous shadow stack after saveprevssp */ + saveprevssp + + /* when return, jump_fcontext jump to restored return address */ + /* (r8) instead of RET. This miss of RET implies us to unwind */ + /* shadow stack accordingly. Otherwise mismatch occur */ + movq $1, %rcx + incsspq %rcx +#endif + + movq 0x40(%rsp), %r8 /* restore return-address */ #if !defined(BOOST_USE_TSX) ldmxcsr (%rsp) /* restore MMX control- and status-word */ fldcw 0x4(%rsp) /* restore x87 control-word */ #endif - movq 0x8(%rsp), %r12 /* restore R12 */ - movq 0x10(%rsp), %r13 /* restore R13 */ - movq 0x18(%rsp), %r14 /* restore R14 */ - movq 0x20(%rsp), %r15 /* restore R15 */ - movq 0x28(%rsp), %rbx /* restore RBX */ - movq 0x30(%rsp), %rbp /* restore RBP */ +#if defined(BOOST_CONTEXT_TLS_STACK_PROTECTOR) + movq 0x8(%rsp), %rdx /* load stack guard */ + movq %rdx, %fs:0x28 /* restore stack guard to TLS record */ +#endif + + movq 0x10(%rsp), %r12 /* restore R12 */ + movq 0x18(%rsp), %r13 /* restore R13 */ + movq 0x20(%rsp), %r14 /* restore R14 */ + movq 0x28(%rsp), %r15 /* restore R15 */ + movq 0x30(%rsp), %rbx /* restore RBX */ + movq 0x38(%rsp), %rbp /* restore RBP */ - leaq 0x40(%rsp), %rsp /* prepare stack */ + leaq 0x48(%rsp), %rsp /* prepare stack */ /* return transfer_t from jump */ #if !defined(_ILP32) diff --git a/Zend/asm/make_i386_sysv_elf_gas.S b/Zend/asm/make_i386_sysv_elf_gas.S index b76de260d211..9261e566c0d4 100644 --- a/Zend/asm/make_i386_sysv_elf_gas.S +++ b/Zend/asm/make_i386_sysv_elf_gas.S @@ -12,14 +12,14 @@ * ---------------------------------------------------------------------------------- * * | 0x0 | 0x4 | 0x8 | 0xc | 0x10 | 0x14 | 0x18 | 0x1c | * * ---------------------------------------------------------------------------------- * - * | fc_mxcsr|fc_x87_cw| EDI | ESI | EBX | EBP | EIP | hidden | * + * | fc_mxcsr|fc_x87_cw| guard | EDI | ESI | EBX | EBP | EIP | * * ---------------------------------------------------------------------------------- * * ---------------------------------------------------------------------------------- * * | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | * * ---------------------------------------------------------------------------------- * - * | 0x20 | 0x24 | | * + * | 0x20 | 0x24 | 0x28 | | * * ---------------------------------------------------------------------------------- * - * | to | data | | * + * | hidden | to | data | | * * ---------------------------------------------------------------------------------- * * * ****************************************************************************************/ @@ -40,23 +40,29 @@ make_fcontext: /* shift address in EAX to lower 16 byte boundary */ andl $-16, %eax - /* reserve space for context-data on context-stack */ - leal -0x28(%eax), %eax + /* reserve space for context-data on context-stack, and align the stack */ + leal -0x34(%eax), %eax /* third arg of make_fcontext() == address of context-function */ /* stored in EBX */ movl 0xc(%esp), %ecx - movl %ecx, 0x10(%eax) + movl %ecx, 0x14(%eax) /* save MMX control- and status-word */ stmxcsr (%eax) /* save x87 control-word */ fnstcw 0x4(%eax) +#if defined(BOOST_CONTEXT_TLS_STACK_PROTECTOR) + /* save stack guard */ + movl %gs:0x14, %ecx /* read stack guard from TLS record */ + movl %ecx, 0x8(%eax) /* save stack guard */ +#endif + /* return transport_t */ /* FCTX == EDI, DATA == ESI */ - leal 0x8(%eax), %ecx - movl %ecx, 0x1c(%eax) + leal 0xc(%eax), %ecx + movl %ecx, 0x20(%eax) /* compute abs address of label trampoline */ call 1f @@ -66,7 +72,7 @@ make_fcontext: addl $trampoline-1b, %ecx /* save address of trampoline as return address */ /* will be entered after calling jump_fcontext() first time */ - movl %ecx, 0x18(%eax) + movl %ecx, 0x1c(%eax) /* compute abs address of label finish */ call 2f @@ -76,7 +82,7 @@ make_fcontext: addl $finish-2b, %ecx /* save address of finish as return-address for context-function */ /* will be entered after context-function returns */ - movl %ecx, 0x14(%eax) + movl %ecx, 0x18(%eax) ret /* return pointer to context-data */ diff --git a/Zend/asm/make_i386_sysv_macho_gas.S b/Zend/asm/make_i386_sysv_macho_gas.S index fdcdb7c80fbf..519e406248bb 100644 --- a/Zend/asm/make_i386_sysv_macho_gas.S +++ b/Zend/asm/make_i386_sysv_macho_gas.S @@ -38,8 +38,8 @@ _make_fcontext: /* shift address in EAX to lower 16 byte boundary */ andl $-16, %eax - /* reserve space for context-data on context-stack */ - leal -0x2c(%eax), %eax + /* reserve space for context-data on context-stack, and align the stack */ + leal -0x34(%eax), %eax /* third arg of make_fcontext() == address of context-function */ /* stored in EBX */ diff --git a/Zend/asm/make_ppc32_sysv_macho_gas.S b/Zend/asm/make_ppc32_sysv_macho_gas.S index 8f35eff9abbf..1102ee90ef07 100644 --- a/Zend/asm/make_ppc32_sysv_macho_gas.S +++ b/Zend/asm/make_ppc32_sysv_macho_gas.S @@ -77,61 +77,78 @@ .globl _make_fcontext .align 2 _make_fcontext: - # save return address into R6 + ; save return address into R6 mflr r6 - # first arg of make_fcontext() == top address of context-function - # shift address in R3 to lower 16 byte boundary + ; first arg of make_fcontext() == top address of context-function + ; shift address in R3 to lower 16 byte boundary clrrwi r3, r3, 4 - # reserve space for context-data on context-stack - # including 64 byte of linkage + parameter area (R1 16 == 0) + ; reserve space for context-data on context-stack + ; including 64 byte of linkage + parameter area (R1 % 16 == 0) subi r3, r3, 336 - # third arg of make_fcontext() == address of context-function - stw r5, 240(r3) + ; third arg of make_fcontext() == address of context-function + ; store as trampoline's R31 + stw r5, 224(r3) - # set back-chain to zero + ; set back-chain to zero li r0, 0 stw r0, 244(r3) - mffs f0 # load FPSCR - stfd f0, 144(r3) # save FPSCR + mffs f0 ; load FPSCR + stfd f0, 144(r3) ; save FPSCR - # compute address of returned transfer_t + ; compute address of returned transfer_t addi r0, r3, 252 mr r4, r0 stw r4, 228(r3) - # load LR + ; load LR mflr r0 - # jump to label 1 - bl 1f -1: - # load LR into R4 + ; jump to label 1 + bcl 20, 31, L1 +L1: + ; load LR into R4 mflr r4 - # compute abs address of label finish - addi r4, r4, finish - 1b - # restore LR + ; compute abs address of trampoline, use as PC + addi r5, r4, lo16(Ltrampoline - L1) + stw r5, 240(r3) + ; compute abs address of label finish + addi r4, r4, lo16(Lfinish - L1) + ; restore LR mtlr r0 - # save address of finish as return-address for context-function - # will be entered after context-function returns + ; save address of finish as return-address for context-function + ; will be entered after context-function returns stw r4, 236(r3) - # restore return address from R6 + ; restore return address from R6 mtlr r6 - blr # return pointer to context-data + blr ; return pointer to context-data -finish: - # save return address into R0 - mflr r0 - # save return address on stack, set up stack frame - stw r0, 4(r1) - # allocate stack space, R1 16 == 0 - stwu r1, -16(r1) +Ltrampoline: + ; We get R31 = context-function, R3 = address of transfer_t, + ; but we need to pass R3:R4 = transfer_t. + mtctr r31 + lwz r4, 4(r3) + lwz r3, 0(r3) + bctr - # exit code is zero +Lfinish: + ; load address of _exit into CTR + bcl 20, 31, L2 +L2: + mflr r4 + addis r4, r4, ha16(Lexitp - L2) + lwz r4, lo16(Lexitp - L2)(r4) + mtctr r4 + ; exit code is zero li r3, 0 - # exit application - bl _exit@plt + ; exit application + bctr + +.const_data +.align 2 +Lexitp: + .long __exit diff --git a/Zend/asm/make_ppc64_sysv_macho_gas.S b/Zend/asm/make_ppc64_sysv_macho_gas.S index 7b947bb6b030..fb5cada265a6 100644 --- a/Zend/asm/make_ppc64_sysv_macho_gas.S +++ b/Zend/asm/make_ppc64_sysv_macho_gas.S @@ -12,7 +12,7 @@ * ------------------------------------------------- * * | 0 | 4 | 8 | 12 | 16 | 20 | 24 | 28 | * * ------------------------------------------------- * - * | TOC | R14 | R15 | R16 | * + * | R13 | R14 | R15 | R16 | * * ------------------------------------------------- * * ------------------------------------------------- * * | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | * @@ -61,7 +61,7 @@ * ------------------------------------------------- * * | 224 | 228 | 232 | 236 | 240 | 244 | 248 | 252 | * * ------------------------------------------------- * - * | TOC saved | FCTX | DATA | | * + * | FCTX | DATA | | | * * ------------------------------------------------- * * * @@ -77,19 +77,19 @@ _make_fcontext: ; reserve space for context-data on context-stack ; including 64 byte of linkage + parameter area (R1 16 == 0) - subi r3, r3, 248 + subi r3, r3, 240 ; third arg of make_fcontext() == address of context-function stw r5, 176(r3) ; set back-chain to zero - li %r0, 0 - std %r0, 184(%r3) + li r0, 0 + std r0, 184(r3) ; compute address of returned transfer_t - addi %r0, %r3, 232 - mr %r4, %r0 - std %r4, 152(%r3) + addi r0, r3, 224 + mr r4, r0 + std r4, 152(r3) ; load LR mflr r0 diff --git a/Zend/asm/make_x86_64_sysv_elf_gas.S b/Zend/asm/make_x86_64_sysv_elf_gas.S index d422c6972df9..4294398a2edc 100644 --- a/Zend/asm/make_x86_64_sysv_elf_gas.S +++ b/Zend/asm/make_x86_64_sysv_elf_gas.S @@ -12,20 +12,29 @@ * ---------------------------------------------------------------------------------- * * | 0x0 | 0x4 | 0x8 | 0xc | 0x10 | 0x14 | 0x18 | 0x1c | * * ---------------------------------------------------------------------------------- * - * | fc_mxcsr|fc_x87_cw| R12 | R13 | R14 | * + * | fc_mxcsr|fc_x87_cw| guard | R12 | R13 | * * ---------------------------------------------------------------------------------- * * ---------------------------------------------------------------------------------- * * | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | * * ---------------------------------------------------------------------------------- * * | 0x20 | 0x24 | 0x28 | 0x2c | 0x30 | 0x34 | 0x38 | 0x3c | * * ---------------------------------------------------------------------------------- * - * | R15 | RBX | RBP | RIP | * + * | R14 | R15 | RBX | RBP | * + * ---------------------------------------------------------------------------------- * + * ---------------------------------------------------------------------------------- * + * | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | * + * ---------------------------------------------------------------------------------- * + * | 0x40 | 0x44 | | * + * ---------------------------------------------------------------------------------- * + * | RIP | | * * ---------------------------------------------------------------------------------- * * * ****************************************************************************************/ # if defined __CET__ # include +# define SHSTK_ENABLED (__CET__ & 0x2) +# define BOOST_CONTEXT_SHADOW_STACK (SHSTK_ENABLED && SHADOW_STACK_SYSCALL) # else # define _CET_ENDBR # endif @@ -36,6 +45,11 @@ .align 16 make_fcontext: _CET_ENDBR +#if BOOST_CONTEXT_SHADOW_STACK + /* the new shadow stack pointer (SSP) */ + movq -0x8(%rdi), %r9 +#endif + /* first arg of make_fcontext() == top of context-stack */ movq %rdi, %rax @@ -44,36 +58,79 @@ make_fcontext: /* reserve space for context-data on context-stack */ /* on context-function entry: (RSP -0x8) % 16 == 0 */ - leaq -0x40(%rax), %rax + leaq -0x48(%rax), %rax /* third arg of make_fcontext() == address of context-function */ /* stored in RBX */ - movq %rdx, 0x28(%rax) + movq %rdx, 0x30(%rax) /* save MMX control- and status-word */ stmxcsr (%rax) /* save x87 control-word */ fnstcw 0x4(%rax) +#if defined(BOOST_CONTEXT_TLS_STACK_PROTECTOR) + /* save stack guard */ + movq %fs:0x28, %rcx /* read stack guard from TLS record */ + movq %rcx, 0x8(%rsp) /* save stack guard */ +#endif + /* compute abs address of label trampoline */ leaq trampoline(%rip), %rcx /* save address of trampoline as return-address for context-function */ /* will be entered after calling jump_fcontext() first time */ - movq %rcx, 0x38(%rax) + movq %rcx, 0x40(%rax) /* compute abs address of label finish */ leaq finish(%rip), %rcx /* save address of finish as return-address for context-function */ /* will be entered after context-function returns */ - movq %rcx, 0x30(%rax) + movq %rcx, 0x38(%rax) + +#if BOOST_CONTEXT_SHADOW_STACK + /* Populate the shadow stack and normal stack */ + /* get original SSP */ + rdsspq %r8 + /* restore new shadow stack */ + rstorssp -0x8(%r9) + /* save the restore token on the original shadow stack */ + saveprevssp + /* push the address of "jmp trampoline" to the new shadow stack */ + /* as well as the stack */ + call 1f + jmp trampoline +1: + /* save address of "jmp trampoline" as return-address */ + /* for context-function */ + pop 0x38(%rax) + /* Get the new SSP. */ + rdsspq %r9 + /* restore original shadow stack */ + rstorssp -0x8(%r8) + /* save the restore token on the new shadow stack. */ + saveprevssp + + /* reserve space for the new SSP */ + leaq -0x8(%rax), %rax + /* save the new SSP to this fcontext */ + movq %r9, (%rax) +#endif ret /* return pointer to context-data */ trampoline: + _CET_ENDBR /* store return address on stack */ /* fix stack alignment */ - _CET_ENDBR +#if BOOST_CONTEXT_SHADOW_STACK + /* save address of "jmp *%rbp" as return-address */ + /* on stack and shadow stack */ + call 2f + jmp *%rbp +2: +#else push %rbp +#endif /* jump to context-function */ jmp *%rbx