arch/x86: push correct eip on the stack before lretq

Submitted by Andrei Vagin on Sept. 10, 2019, 1:50 p.m.

Details

Message ID 20190910135058.21055-1-avagin@gmail.com
State Accepted
Series "arch/x86: push correct eip on the stack before lretq"
Commit a9a760278c1a8ed0856952865bda853509e41814
Headers show

Commit Message

Andrei Vagin Sept. 10, 2019, 1:50 p.m.
Right now we use pushq, but it pushes sign-extended value, so if the
parasite code is placed higher that 2Gb, we will see something like
this:

   0xf7efd5b0:	pushq  $0x23
   0xf7efd5b2:	pushq  $0xfffffffff7efd5b9
=> 0xf7efd5b7:	lretq

Actually we want to push 0xf7efd5b9 instead of 0xfffffffff7efd5b9.

Fixes: #398

Cc: Dmitry Safonov <dima@arista.com>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
---
 compel/arch/x86/src/lib/include/uapi/asm/sigframe.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/compel/arch/x86/src/lib/include/uapi/asm/sigframe.h b/compel/arch/x86/src/lib/include/uapi/asm/sigframe.h
index 51ca023f7..486c0c8e0 100644
--- a/compel/arch/x86/src/lib/include/uapi/asm/sigframe.h
+++ b/compel/arch/x86/src/lib/include/uapi/asm/sigframe.h
@@ -194,7 +194,9 @@  void rt_sigframe_erase_sigset(struct rt_sigframe *sigframe)
 #define ARCH_RT_SIGRETURN_COMPAT(new_sp)				\
 	asm volatile(							\
 		"pushq $"__stringify(USER32_CS)"		\n"	\
-		"pushq $1f					\n"	\
+		"xor %%rax, %%rax				\n"	\
+		"movl $1f, %%eax				\n"	\
+		"pushq   %%rax					\n"	\
 		"lretq						\n"	\
 		"1:						\n"	\
 		".code32					\n"	\

Comments

Cyrill Gorcunov Sept. 10, 2019, 2:14 p.m.
On Tue, Sep 10, 2019 at 06:50:58AM -0700, Andrei Vagin wrote:
> Right now we use pushq, but it pushes sign-extended value, so if the
> parasite code is placed higher that 2Gb, we will see something like
> this:
> 
>    0xf7efd5b0:	pushq  $0x23
>    0xf7efd5b2:	pushq  $0xfffffffff7efd5b9
> => 0xf7efd5b7:	lretq
> 
> Actually we want to push 0xf7efd5b9 instead of 0xfffffffff7efd5b9.
> 
> Fixes: #398
> 
> Cc: Dmitry Safonov <dima@arista.com>
> Cc: Cyrill Gorcunov <gorcunov@gmail.com>
> Signed-off-by: Andrei Vagin <avagin@gmail.com>
Reviewed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Dmitry Safonov Sept. 10, 2019, 3:04 p.m.
On Tue, 10 Sep 2019 at 15:16, Cyrill Gorcunov <gorcunov@gmail.com> wrote:
>
> On Tue, Sep 10, 2019 at 06:50:58AM -0700, Andrei Vagin wrote:
> > Right now we use pushq, but it pushes sign-extended value, so if the
> > parasite code is placed higher that 2Gb, we will see something like
> > this:
> >
> >    0xf7efd5b0:        pushq  $0x23
> >    0xf7efd5b2:        pushq  $0xfffffffff7efd5b9
> > => 0xf7efd5b7:        lretq
> >
> > Actually we want to push 0xf7efd5b9 instead of 0xfffffffff7efd5b9.
> >
> > Fixes: #398
> >
> > Cc: Dmitry Safonov <dima@arista.com>
> > Cc: Cyrill Gorcunov <gorcunov@gmail.com>
> > Signed-off-by: Andrei Vagin <avagin@gmail.com>
> Reviewed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>

Acked-by: Dmitry Safonov <0x7f454c46@gmail.com>

Thanks!
             Dmitry
Andrei Vagin Sept. 15, 2019, 4:40 a.m.
Applied

On Tue, Sep 10, 2019 at 06:50:58AM -0700, Andrei Vagin wrote:
> Right now we use pushq, but it pushes sign-extended value, so if the
> parasite code is placed higher that 2Gb, we will see something like
> this:
> 
>    0xf7efd5b0:	pushq  $0x23
>    0xf7efd5b2:	pushq  $0xfffffffff7efd5b9
> => 0xf7efd5b7:	lretq
> 
> Actually we want to push 0xf7efd5b9 instead of 0xfffffffff7efd5b9.
> 
> Fixes: #398
> 
> Cc: Dmitry Safonov <dima@arista.com>
> Cc: Cyrill Gorcunov <gorcunov@gmail.com>
> Signed-off-by: Andrei Vagin <avagin@gmail.com>
> ---
>  compel/arch/x86/src/lib/include/uapi/asm/sigframe.h | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/compel/arch/x86/src/lib/include/uapi/asm/sigframe.h b/compel/arch/x86/src/lib/include/uapi/asm/sigframe.h
> index 51ca023f7..486c0c8e0 100644
> --- a/compel/arch/x86/src/lib/include/uapi/asm/sigframe.h
> +++ b/compel/arch/x86/src/lib/include/uapi/asm/sigframe.h
> @@ -194,7 +194,9 @@ void rt_sigframe_erase_sigset(struct rt_sigframe *sigframe)
>  #define ARCH_RT_SIGRETURN_COMPAT(new_sp)				\
>  	asm volatile(							\
>  		"pushq $"__stringify(USER32_CS)"		\n"	\
> -		"pushq $1f					\n"	\
> +		"xor %%rax, %%rax				\n"	\
> +		"movl $1f, %%eax				\n"	\
> +		"pushq   %%rax					\n"	\
>  		"lretq						\n"	\
>  		"1:						\n"	\
>  		".code32					\n"	\
> -- 
> 2.21.0
>