From 7dd4da5aebd1e9b72da95a4a171aa9903931368a Mon Sep 17 00:00:00 2001 From: Theodore Dubois Date: Mon, 3 Aug 2020 00:48:51 -0700 Subject: [PATCH] Don't modify esp if call/ret/push hits a page fault --- jit/gadgets-aarch64/control.S | 15 +++++++++------ jit/gadgets-aarch64/memory.S | 4 ++-- jit/gadgets-x86_64/control.S | 13 ++++++++----- jit/gadgets-x86_64/memory.S | 4 ++-- 4 files changed, 21 insertions(+), 15 deletions(-) diff --git a/jit/gadgets-aarch64/control.S b/jit/gadgets-aarch64/control.S index 914ad261ca..4092c4c731 100644 --- a/jit/gadgets-aarch64/control.S +++ b/jit/gadgets-aarch64/control.S @@ -1,12 +1,13 @@ #include "gadgets.h" .gadget call - sub esp, esp, 4 - mov _addr, esp // save return address + sub _addr, esp, 4 write_prep 32, call ldr w8, [_ip, 16] str w8, [_xaddr] + // push stack pointer + sub esp, esp, 4 // save ip-to-arguments to return cache ubfx w12, w8, 4, 12 write_done 32, call // clobbers w8 @@ -18,12 +19,13 @@ write_bullshit 32, call .gadget call_indir - sub esp, esp, 4 - mov _addr, esp // save return address + sub _addr, esp, 4 write_prep 32, call_indir ldr w8, [_ip, 16] str w8, [_xaddr] + // push stack pointer + sub esp, esp, 4 // save ip-to-arguments to return cache ubfx w12, w8, 4, 12 write_done 32, call_indir // clobbers w8 @@ -36,11 +38,12 @@ .gadget ret mov _addr, esp - ldr w8, [_ip, 8] - add esp, esp, w8 // load return address and save to _tmp read_prep 32, ret ldr _tmp, [_xaddr] + // pop stack pointer + ldr w8, [_ip, 8] + add esp, esp, w8 // load saved ip in return cache ubfx w12, _tmp, 4, 12 add x13, _cpu, LOCAL_ret_cache diff --git a/jit/gadgets-aarch64/memory.S b/jit/gadgets-aarch64/memory.S index 31f6893fc0..8677a22102 100644 --- a/jit/gadgets-aarch64/memory.S +++ b/jit/gadgets-aarch64/memory.S @@ -2,11 +2,11 @@ #include "emu/interrupt.h" .gadget push - sub esp, esp, 4 - mov _addr, esp + sub _addr, esp, 4 write_prep 32, push str _tmp, [_xaddr] write_done 32, push + sub esp, esp, 4 gret 1 write_bullshit 32, push diff --git a/jit/gadgets-x86_64/control.S b/jit/gadgets-x86_64/control.S index ae3c0c32b7..29fa42701d 100644 --- a/jit/gadgets-x86_64/control.S +++ b/jit/gadgets-x86_64/control.S @@ -1,12 +1,13 @@ #include "gadgets.h" .gadget call - subl $4, %_esp - movl %_esp, %_addr // save return address + leal -4(%_esp), %_addr write_prep 32, call movl 16(%_ip), %r14d movl %r14d, (%_addrq) + // push stack pointer + subl $4, %_esp // save ip-to-arguments to return cache shrw $4, %r14w movzwl %r14w, %r14d @@ -17,12 +18,13 @@ jmp jit_ret_chain .gadget call_indir - subl $4, %_esp - movl %_esp, %_addr // save return address + leal -4(%_esp), %_addr write_prep 32, call_indir movl 16(%_ip), %r14d movl %r14d, (%_addrq) + // push stack pointer + subl $4, %_esp // save ip-to-arguments to return cache shrw $4, %r14w movzwl %r14w, %r14d @@ -34,11 +36,12 @@ .gadget ret movl %_esp, %_addr - addl 8(%_ip), %_esp // load return address and save to _tmp read_prep 32, ret movl (%_addrq), %tmpd movl %tmpd, %r14d + // pop stack pointer + addl 8(%_ip), %_esp // load saved ip in return cache shrw $4, %r14w movzwq %r14w, %r14 diff --git a/jit/gadgets-x86_64/memory.S b/jit/gadgets-x86_64/memory.S index 5ea814ee17..b8e63a1049 100644 --- a/jit/gadgets-x86_64/memory.S +++ b/jit/gadgets-x86_64/memory.S @@ -2,11 +2,11 @@ #include "emu/interrupt.h" .gadget push - sub $4, %_esp - movl %_esp, %_addr + leal -4(%_esp), %_addr write_prep 32, push movl %_tmp, (%_addrq) write_done 32, push + sub $4, %_esp gret 1 .gadget pop movl %_esp, %_addr