From e19792ea63b4b8088fe00575bd0d8c591decb817 Mon Sep 17 00:00:00 2001 From: mortimer Date: Sat, 30 Mar 2019 12:38:00 +0000 Subject: Add retguard macros to setjmp/longjmp on amd64. Knocks out some useful gadgets from libc. ok deraadt@, kettenis@ --- lib/libc/arch/amd64/gen/_setjmp.S | 18 +++++++++++------- lib/libc/arch/amd64/gen/setjmp.S | 18 +++++++++++------- lib/libc/arch/amd64/gen/sigsetjmp.S | 18 +++++++++++------- 3 files changed, 33 insertions(+), 21 deletions(-) (limited to 'lib/libc/arch') diff --git a/lib/libc/arch/amd64/gen/_setjmp.S b/lib/libc/arch/amd64/gen/_setjmp.S index 904828d2953..1aef964c102 100644 --- a/lib/libc/arch/amd64/gen/_setjmp.S +++ b/lib/libc/arch/amd64/gen/_setjmp.S @@ -1,4 +1,4 @@ -/* $OpenBSD: _setjmp.S,v 1.3 2016/05/12 15:46:03 deraadt Exp $ */ +/* $OpenBSD: _setjmp.S,v 1.4 2019/03/30 12:37:59 mortimer Exp $ */ /* $NetBSD: _setjmp.S,v 1.1 2001/06/19 00:25:02 fvdl Exp $ */ /* @@ -53,6 +53,7 @@ */ ENTRY(_setjmp) + RETGUARD_SETUP(_setjmp, r10) movq (%rsp),%r11 leaq __jmpxor(%rip),%rcx movq %rbx,(_JB_RBX * 8)(%rdi) @@ -72,11 +73,19 @@ ENTRY(_setjmp) xorq %rcx,%rcx xorq %rax,%rax + RETGUARD_CHECK(_setjmp, r10) ret END(_setjmp) ENTRY(_longjmp) leaq __jmpxor(%rip),%rcx + movq (_JB_RSP * 8)(%rdi),%r11 + xorq (1*8)(%rcx),%r11 + movq %r11,%rsp + movq (_JB_PC * 8)(%rdi),%r11 + xorq (2*8)(%rcx),%r11 + movq %r11,0(%rsp) + RETGUARD_SETUP(_longjmp, r10) movq (_JB_RBX * 8)(%rdi),%rbx movq (_JB_RBP * 8)(%rdi),%r11 xorq (0*8)(%rcx),%r11 @@ -85,17 +94,12 @@ ENTRY(_longjmp) movq (_JB_R13 * 8)(%rdi),%r13 movq (_JB_R14 * 8)(%rdi),%r14 movq (_JB_R15 * 8)(%rdi),%r15 - movq (_JB_RSP * 8)(%rdi),%r11 - xorq (1*8)(%rcx),%r11 - movq %r11,%rsp - movq (_JB_PC * 8)(%rdi),%r11 - xorq (2*8)(%rcx),%r11 xorq %rcx,%rcx movl %esi,%eax testl %eax,%eax jnz 1f incl %eax -1: movq %r11,0(%rsp) +1: RETGUARD_CHECK(_longjmp, r10) ret END(_longjmp) diff --git a/lib/libc/arch/amd64/gen/setjmp.S b/lib/libc/arch/amd64/gen/setjmp.S index 751471216ee..ecb6a353ebf 100644 --- a/lib/libc/arch/amd64/gen/setjmp.S +++ b/lib/libc/arch/amd64/gen/setjmp.S @@ -1,4 +1,4 @@ -/* $OpenBSD: setjmp.S,v 1.7 2016/05/29 22:39:21 guenther Exp $ */ +/* $OpenBSD: setjmp.S,v 1.8 2019/03/30 12:37:59 mortimer Exp $ */ /* $NetBSD: __setjmp14.S,v 1.1 2001/06/19 00:25:02 fvdl Exp $ */ /* @@ -59,6 +59,7 @@ __jmpxor: */ ENTRY(setjmp) + RETGUARD_SETUP(setjmp, r10) movq %rdi,%r8 /* save jmpbuf addr */ movl $1,%edi /* how = SIG_BLOCK */ xorl %esi,%esi /* set = empty */ @@ -86,6 +87,7 @@ ENTRY(setjmp) xorq %rcx,%rcx xorq %rax,%rax + RETGUARD_CHECK(setjmp, r10) ret END(setjmp) @@ -100,6 +102,13 @@ ENTRY(longjmp) movl %r8d,%eax leaq __jmpxor(%rip),%rcx + movq (_JB_RSP * 8)(%r12),%r11 + xorq (1*8)(%rcx),%r11 + movq %r11,%rsp + movq (_JB_PC * 8)(%r12),%r11 + xorq (2*8)(%rcx),%r11 + movq %r11,0(%rsp) + RETGUARD_SETUP(longjmp, r10) movq (_JB_RBX * 8)(%r12),%rbx movq (_JB_RBP * 8)(%r12),%r11 xorq (0*8)(%rcx),%r11 @@ -107,17 +116,12 @@ ENTRY(longjmp) movq (_JB_R13 * 8)(%r12),%r13 movq (_JB_R14 * 8)(%r12),%r14 movq (_JB_R15 * 8)(%r12),%r15 - movq (_JB_RSP * 8)(%r12),%r11 - xorq (1*8)(%rcx),%r11 - movq %r11,%rsp - movq (_JB_PC * 8)(%r12),%r11 - xorq (2*8)(%rcx),%r11 movq (_JB_R12 * 8)(%r12),%r12 xorq %rcx,%rcx testl %eax,%eax jnz 1f incl %eax -1: movq %r11,0(%rsp) +1: RETGUARD_CHECK(longjmp, r10) ret END(longjmp) diff --git a/lib/libc/arch/amd64/gen/sigsetjmp.S b/lib/libc/arch/amd64/gen/sigsetjmp.S index ecce6204b26..22414c1fc87 100644 --- a/lib/libc/arch/amd64/gen/sigsetjmp.S +++ b/lib/libc/arch/amd64/gen/sigsetjmp.S @@ -1,4 +1,4 @@ -/* $OpenBSD: sigsetjmp.S,v 1.7 2016/05/29 22:39:21 guenther Exp $ */ +/* $OpenBSD: sigsetjmp.S,v 1.8 2019/03/30 12:37:59 mortimer Exp $ */ /* $NetBSD: __setjmp14.S,v 1.1 2001/06/19 00:25:02 fvdl Exp $ */ /* @@ -53,6 +53,7 @@ */ ENTRY(sigsetjmp) + RETGUARD_SETUP(sigsetjmp, r10) movl %esi,(_JB_SIGFLAG * 8)(%rdi) testl %esi,%esi jz 2f @@ -84,6 +85,7 @@ ENTRY(sigsetjmp) xorq %rcx,%rcx xorq %rax,%rax + RETGUARD_CHECK(sigsetjmp, r10) ret END(sigsetjmp) @@ -100,6 +102,13 @@ ENTRY(siglongjmp) 2: movl %r8d,%eax leaq __jmpxor(%rip),%rcx + movq (_JB_RSP * 8)(%r12),%r11 + xorq (1*8)(%rcx),%r11 + movq %r11,%rsp + movq (_JB_PC * 8)(%r12),%r11 + xorq (2*8)(%rcx),%r11 + movq %r11,0(%rsp) + RETGUARD_SETUP(siglongjmp, r10) movq (_JB_RBX * 8)(%r12),%rbx movq (_JB_RBP * 8)(%r12),%r11 xorq (0*8)(%rcx),%r11 @@ -107,17 +116,12 @@ ENTRY(siglongjmp) movq (_JB_R13 * 8)(%r12),%r13 movq (_JB_R14 * 8)(%r12),%r14 movq (_JB_R15 * 8)(%r12),%r15 - movq (_JB_RSP * 8)(%r12),%r11 - xorq (1*8)(%rcx),%r11 - movq %r11,%rsp - movq (_JB_PC * 8)(%r12),%r11 - xorq (2*8)(%rcx),%r11 movq (_JB_R12 * 8)(%r12),%r12 xorq %rcx,%rcx testl %eax,%eax jnz 1f incl %eax -1: movq %r11,0(%rsp) +1: RETGUARD_CHECK(siglongjmp, r10) ret END(siglongjmp) -- cgit v1.2.3