Don't modify esp if call/ret/push hits a page fault

saiminhtet · Dec 21, 2020 · 7dd4da5 · 7dd4da5
1 parent 1e06d8d
commit 7dd4da5
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 15 deletions.
diff --git a/jit/gadgets-aarch64/control.S b/jit/gadgets-aarch64/control.S
@@ -1,12 +1,13 @@
 #include "gadgets.h"
 
 .gadget call
-    sub esp, esp, 4
-    mov _addr, esp
     // save return address
+    sub _addr, esp, 4
     write_prep 32, call
     ldr w8, [_ip, 16]
     str w8, [_xaddr]
+    // push stack pointer
+    sub esp, esp, 4
     // save ip-to-arguments to return cache
     ubfx w12, w8, 4, 12
     write_done 32, call // clobbers w8
@@ -18,12 +19,13 @@
     write_bullshit 32, call
 
 .gadget call_indir
-    sub esp, esp, 4
-    mov _addr, esp
     // save return address
+    sub _addr, esp, 4
     write_prep 32, call_indir
     ldr w8, [_ip, 16]
     str w8, [_xaddr]
+    // push stack pointer
+    sub esp, esp, 4
     // save ip-to-arguments to return cache
     ubfx w12, w8, 4, 12
     write_done 32, call_indir // clobbers w8
@@ -36,11 +38,12 @@
 
 .gadget ret
     mov _addr, esp
-    ldr w8, [_ip, 8]
-    add esp, esp, w8
     // load return address and save to _tmp
     read_prep 32, ret
     ldr _tmp, [_xaddr]
+    // pop stack pointer
+    ldr w8, [_ip, 8]
+    add esp, esp, w8
     // load saved ip in return cache
     ubfx w12, _tmp, 4, 12
     add x13, _cpu, LOCAL_ret_cache

diff --git a/jit/gadgets-aarch64/memory.S b/jit/gadgets-aarch64/memory.S
@@ -2,11 +2,11 @@
 #include "emu/interrupt.h"
 
 .gadget push
-    sub esp, esp, 4
-    mov _addr, esp
+    sub _addr, esp, 4
     write_prep 32, push
     str _tmp, [_xaddr]
     write_done 32, push
+    sub esp, esp, 4
     gret 1
     write_bullshit 32, push
 

diff --git a/jit/gadgets-x86_64/control.S b/jit/gadgets-x86_64/control.S
@@ -1,12 +1,13 @@
 #include "gadgets.h"
 
 .gadget call
-    subl $4, %_esp
-    movl %_esp, %_addr
     // save return address
+    leal -4(%_esp), %_addr
     write_prep 32, call
     movl 16(%_ip), %r14d
     movl %r14d, (%_addrq)
+    // push stack pointer
+    subl $4, %_esp
     // save ip-to-arguments to return cache
     shrw $4, %r14w
     movzwl %r14w, %r14d
@@ -17,12 +18,13 @@
     jmp jit_ret_chain
 
 .gadget call_indir
-    subl $4, %_esp
-    movl %_esp, %_addr
     // save return address
+    leal -4(%_esp), %_addr
     write_prep 32, call_indir
     movl 16(%_ip), %r14d
     movl %r14d, (%_addrq)
+    // push stack pointer
+    subl $4, %_esp
     // save ip-to-arguments to return cache
     shrw $4, %r14w
     movzwl %r14w, %r14d
@@ -34,11 +36,12 @@
 
 .gadget ret
     movl %_esp, %_addr
-    addl 8(%_ip), %_esp
     // load return address and save to _tmp
     read_prep 32, ret
     movl (%_addrq), %tmpd
     movl %tmpd, %r14d
+    // pop stack pointer
+    addl 8(%_ip), %_esp
     // load saved ip in return cache
     shrw $4, %r14w
     movzwq %r14w, %r14

diff --git a/jit/gadgets-x86_64/memory.S b/jit/gadgets-x86_64/memory.S
@@ -2,11 +2,11 @@
 #include "emu/interrupt.h"
 
 .gadget push
-    sub $4, %_esp
-    movl %_esp, %_addr
+    leal -4(%_esp), %_addr
     write_prep 32, push
     movl %_tmp, (%_addrq)
     write_done 32, push
+    sub $4, %_esp
     gret 1
 .gadget pop
     movl %_esp, %_addr