From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/9012 Path: news.gmane.org!not-for-mail From: Markus Wichmann Newsgroups: gmane.linux.lib.musl.general Subject: Patch: Negative stack pointer references Date: Fri, 25 Dec 2015 21:57:34 +0100 Message-ID: <20151225205734.GB5971@debian> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="i9LlY+UWpKt15+FH" X-Trace: ger.gmane.org 1451077297 7537 80.91.229.3 (25 Dec 2015 21:01:37 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 25 Dec 2015 21:01:37 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-9025-gllmg-musl=m.gmane.org@lists.openwall.com Fri Dec 25 22:01:36 2015 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1aCZUU-0007Kr-0w for gllmg-musl@m.gmane.org; Fri, 25 Dec 2015 22:01:34 +0100 Original-Received: (qmail 15994 invoked by uid 550); 25 Dec 2015 21:01:31 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 14115 invoked from network); 25 Dec 2015 20:57:49 -0000 Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-Provags-ID: V03:K0:HIBYAPlMfMN+wMjI2NjDUqLXl3ubve7zb1mb8FG3p11edTjHs5+ m54dQGIphatVyOdGkHdXQH07sin8E6b9bBumF3uOksAA2YHzYzkeCAG1RXGxV5kB/8W7DYr idjA5YczT7hkh/n6ojAH2o58ok1722bdtiLr5PTgjASq3E2lqMDSwas9mSRC71Qhteza4Oy KMboKhVrYOuk1OQ+nX+3g== X-UI-Out-Filterresults: notjunk:1;V01:K0:/78kglHlY9U=:S30fHUSbMAZobfgoDsfSSY ZVWkXyXSAWODwJVjOVZ3Ed3ECblbP2CLtA+s5KlMghOIZrXtVGnwwb6n9c95HR3+KL9d2cQjU A7zVDVgp39Io8gNQTdV92EX1vt68kVpsjEMui3rvWPLwl84JHAKuNdLH3Op8LP55vOb4DWftr ggb6lXHbkQ+TNXouYhh2NpMO2PWgKzjV6LH2reD5DKrNwMSdcfJx5juGKh3cllAMWpY6+/IBK vPOGGxkl7XYuzhi/v2iAnwBV14aYrX7EY5Siey3O97QdTPklL8s6ELEMIYiMZ4fTZqQ0s6NV1 thkUIRQ7JXw4+X9UJPFwr3flxsTH9I5BAHCb1TdshkjTosGYUylDaqFYCao+WnfTwhoY+mk0j +79J5HkSEdKry07AZIZHqkvckaOfkrW7k8gAAFjqKsq26gynYaaVAWnw5vte9SWlj/fxnaGgV NgOwzgVeuOW2kg1rGVimhDm28WVACCWYXFF/g65pvLARzG4AoaMYyEr9nrw3kXwRLa+44kMnL UeFwZhjigNJUy8FPhMQ2v+sXqYb9Th3/WgriWDoM16JRy6shiQqTCRqLnCCl5ZGvVOpRD+iwY TtQRfWDlVYKFSA81YqlCztWdEjsA5Nsw1GsWCTCahbRAKSNcJTWlk29VqADKROaUAAVAltxi6 GLDmH5OTZ3CjOicQ/Op3R7zsiMFkqbJZNk9CYKMIKQx3Qc+fvfYktVDApoLUZcpqmH98RPO16 lLe+rIKyv7vYNBDXBo4PYHX9GYYEqy/LmvMdZ+j7bGg14a2VvnUTq7VvKnc= Xref: news.gmane.org gmane.linux.lib.musl.general:9012 Archived-At: --i9LlY+UWpKt15+FH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi all, I found a few instances in musl where negative stack pointer offsets were used in the handwritten assembly. That is problematic, because if a signal arrives and is handled during the time that scratch space is in use (unlikely but possible), and sigaltstack() is not used, then that scratch space will be overwritten. This was just something I saw while randomly reading the code. Also, I only searched for the error pattern using a regex, so the problem may persist with (possibly) negative nonconstant offsets to the stack pointer, use of the same space with another register as base, or use of a negative constant offset my regex failed to match. I searched for -\d\+(%[er]sp) -0[xX]\x\+(%[er]sp) in all .s, .c, and .h files. Also, the problem may exist in architectures other than AMD64 or x32. I'm not a subscriber, so please CC me in this thread. Ciao, Markus --i9LlY+UWpKt15+FH Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="0033-Remove-negative-constant-stack-pointer-offsets.patch" >From d06bafc3d6654b9b26387b66d0dab4c5d21d02ea Mon Sep 17 00:00:00 2001 From: Markus Wichmann Date: Fri, 25 Dec 2015 21:37:00 +0100 Subject: [PATCH 33/33] Remove negative constant stack pointer offsets. Some places used constant negative stack pointer offsets for scratch space. In theory sound, but if a signal arrives during such usage and it is handled and sigaltstack() is not in use, the stack gets clobbered and the scratch space overwritten. Since that can happen at any time, negative stack pointer offsets should be avoided at all cost. Note that I only used a regex to find these instances. There might be negative nonconstant offsets used somewhere, negative constant offsets used in a way my regex didn't find, and the same pattern in any architecture other than x32 and x86_64. --- src/fenv/x32/fenv.s | 22 +++++++++++++--------- src/fenv/x86_64/fenv.s | 22 +++++++++++++--------- src/math/x32/exp2l.s | 6 ++++-- src/math/x86_64/exp2l.s | 6 ++++-- 4 files changed, 34 insertions(+), 22 deletions(-) diff --git a/src/fenv/x32/fenv.s b/src/fenv/x32/fenv.s index 4531046..d0de0a1 100644 --- a/src/fenv/x32/fenv.s +++ b/src/fenv/x32/fenv.s @@ -1,32 +1,36 @@ .global feclearexcept .type feclearexcept,@function feclearexcept: - # maintain exceptions in the sse mxcsr, clear x87 exceptions + # maintain exceptions in the sse mxcsr, clear x87 exceptions + subl $8, %esp mov %edi,%ecx and $0x3f,%ecx fnstsw %ax test %eax,%ecx jz 1f fnclex -1: stmxcsr -8(%esp) +1: stmxcsr (%esp) and $0x3f,%eax - or %eax,-8(%esp) - test %ecx,-8(%esp) + or %eax,(%esp) + test %ecx,(%esp) jz 1f not %ecx - and %ecx,-8(%esp) - ldmxcsr -8(%esp) + and %ecx,(%esp) + ldmxcsr (%esp) 1: xor %eax,%eax + addl $8, %esp ret .global feraiseexcept .type feraiseexcept,@function feraiseexcept: + subl $8, %esp and $0x3f,%edi - stmxcsr -8(%esp) - or %edi,-8(%esp) - ldmxcsr -8(%esp) + stmxcsr (%esp) + or %edi,(%esp) + ldmxcsr (%esp) xor %eax,%eax + addl $8, %esp ret .global __fesetround diff --git a/src/fenv/x86_64/fenv.s b/src/fenv/x86_64/fenv.s index b5aeaf4..5e02716 100644 --- a/src/fenv/x86_64/fenv.s +++ b/src/fenv/x86_64/fenv.s @@ -1,32 +1,36 @@ .global feclearexcept .type feclearexcept,@function feclearexcept: - # maintain exceptions in the sse mxcsr, clear x87 exceptions + # maintain exceptions in the sse mxcsr, clear x87 exceptions + subq $8, %rsp mov %edi,%ecx and $0x3f,%ecx fnstsw %ax test %eax,%ecx jz 1f fnclex -1: stmxcsr -8(%rsp) +1: stmxcsr (%rsp) and $0x3f,%eax - or %eax,-8(%rsp) - test %ecx,-8(%rsp) + or %eax,(%rsp) + test %ecx,(%rsp) jz 1f not %ecx - and %ecx,-8(%rsp) - ldmxcsr -8(%rsp) + and %ecx,(%rsp) + ldmxcsr (%rsp) 1: xor %eax,%eax + addq $8, %rsp ret .global feraiseexcept .type feraiseexcept,@function feraiseexcept: + subq $8, %rsp and $0x3f,%edi - stmxcsr -8(%rsp) - or %edi,-8(%rsp) - ldmxcsr -8(%rsp) + stmxcsr (%rsp) + or %edi,(%rsp) + ldmxcsr (%rsp) xor %eax,%eax + addq $8, %rsp ret .global __fesetround diff --git a/src/math/x32/exp2l.s b/src/math/x32/exp2l.s index e9edb96..2935942 100644 --- a/src/math/x32/exp2l.s +++ b/src/math/x32/exp2l.s @@ -4,8 +4,10 @@ expm1l: fldt 8(%esp) fldl2e fmulp - movl $0xc2820000,-4(%esp) - flds -4(%esp) + subl $4, %esp + movl $0xc2820000,(%esp) + flds (%esp) + addl $4, %esp fucomip %st(1),%st fld1 jb 1f diff --git a/src/math/x86_64/exp2l.s b/src/math/x86_64/exp2l.s index effab2b..e7e7d9e 100644 --- a/src/math/x86_64/exp2l.s +++ b/src/math/x86_64/exp2l.s @@ -4,8 +4,10 @@ expm1l: fldt 8(%rsp) fldl2e fmulp - movl $0xc2820000,-4(%rsp) - flds -4(%rsp) + subq $4, %rsp + movl $0xc2820000,(%rsp) + flds (%rsp) + addq $4, %rsp fucomip %st(1),%st fld1 jb 1f -- 2.1.4 --i9LlY+UWpKt15+FH--