diff --git a/ChangeLog b/ChangeLog index 07dc773..1323e18 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2015-07-08 Igor Zamyatin + + [BZ #18134] + * sysdeps/i386/dl-trampoline.S (_dl_runtime_profile): Save + and restore Intel MPX return bound registers. + * sysdeps/x86_64/dl-trampoline.h: Add PRESERVE_BND_REGS_PREFIX to + call, jump and ret instructions to not loose bounds. + * sysdeps/x86/bits/link.h (La_i86_retval): Add lrv_bnd0 and + lrv_bnd1. + * sysdeps/i386/link-defines.sym: Add definitions for LRV_BND0_OFFSET + and LRV_BND1_OFFSET. + 2015-07-08 Feng Gao * libio/fileops.c: Use "|" instead of "+" when combine _IO_LINE_BUF diff --git a/sysdeps/i386/dl-trampoline.S b/sysdeps/i386/dl-trampoline.S index 7c72b03..d03bc8c 100644 --- a/sysdeps/i386/dl-trampoline.S +++ b/sysdeps/i386/dl-trampoline.S @@ -19,6 +19,12 @@ #include #include +#ifdef HAVE_MPX_SUPPORT +# define PRESERVE_BND_REGS_PREFIX bnd +#else +# define PRESERVE_BND_REGS_PREFIX .byte 0xf2 +#endif + .text .globl _dl_runtime_resolve .type _dl_runtime_resolve, @function @@ -172,6 +178,13 @@ _dl_runtime_profile: movl %edx, LRV_EDX_OFFSET(%esp) fstpt LRV_ST0_OFFSET(%esp) fstpt LRV_ST1_OFFSET(%esp) +#ifdef HAVE_MPX_SUPPORT + bndmov %bnd0, LRV_BND0_OFFSET(%esp) + bndmov %bnd1, LRV_BND1_OFFSET(%esp) +#else + .byte 0x66,0x0f,0x1b,0x04,0x24,LRV_BND0_OFFSET + .byte 0x66,0x0f,0x1b,0x4c,0x24,LRV_BND1_OFFSET +#endif pushl %esp cfi_adjust_cfa_offset (4) # Address of La_i86_regs area. @@ -185,9 +198,17 @@ _dl_runtime_profile: movl LRV_EDX_OFFSET(%esp), %edx fldt LRV_ST1_OFFSET(%esp) fldt LRV_ST0_OFFSET(%esp) +#ifdef HAVE_MPX_SUPPORT + bndmov LRV_BND0_OFFSET(%esp), %bnd0 + bndmov LRV_BND1_OFFSET(%esp), %bnd1 +#else + .byte 0x66,0x0f,0x1a,0x04,0x24,LRV_BND0_OFFSET + .byte 0x66,0x0f,0x1a,0x4c,0x24,LRV_BND1_OFFSET +#endif # Restore stack before return. addl $(LRV_SIZE + 4 + LR_SIZE + 4), %esp cfi_adjust_cfa_offset (-(LRV_SIZE + 4 + LR_SIZE + 4)) + PRESERVE_BND_REGS_PREFIX ret cfi_endproc .size _dl_runtime_profile, .-_dl_runtime_profile diff --git a/sysdeps/i386/link-defines.sym b/sysdeps/i386/link-defines.sym index a63dcb9..0995adb 100644 --- a/sysdeps/i386/link-defines.sym +++ b/sysdeps/i386/link-defines.sym @@ -16,3 +16,5 @@ LRV_EAX_OFFSET offsetof (struct La_i86_retval, lrv_eax) LRV_EDX_OFFSET offsetof (struct La_i86_retval, lrv_edx) LRV_ST0_OFFSET offsetof (struct La_i86_retval, lrv_st0) LRV_ST1_OFFSET offsetof (struct La_i86_retval, lrv_st1) +LRV_BND0_OFFSET offsetof (struct La_i86_retval, lrv_bnd0) +LRV_BND1_OFFSET offsetof (struct La_i86_retval, lrv_bnd1) diff --git a/sysdeps/x86/bits/link.h b/sysdeps/x86/bits/link.h index 3f559c9..0bf9b9a 100644 --- a/sysdeps/x86/bits/link.h +++ b/sysdeps/x86/bits/link.h @@ -38,6 +38,8 @@ typedef struct La_i86_retval uint32_t lrv_edx; long double lrv_st0; long double lrv_st1; + uint64_t lrv_bnd0; + uint64_t lrv_bnd1; } La_i86_retval; diff --git a/sysdeps/x86_64/dl-trampoline.h b/sysdeps/x86_64/dl-trampoline.h index 0e5a6fb..d542428 100644 --- a/sysdeps/x86_64/dl-trampoline.h +++ b/sysdeps/x86_64/dl-trampoline.h @@ -63,20 +63,6 @@ movaps (LR_XMM_OFFSET + XMM_SIZE*6)(%rsp), %xmm6 movaps (LR_XMM_OFFSET + XMM_SIZE*7)(%rsp), %xmm7 -#ifndef __ILP32__ -# ifdef HAVE_MPX_SUPPORT - bndmov (LR_BND_OFFSET)(%rsp), %bnd0 # Restore bound - bndmov (LR_BND_OFFSET + BND_SIZE)(%rsp), %bnd1 # registers. - bndmov (LR_BND_OFFSET + BND_SIZE*2)(%rsp), %bnd2 - bndmov (LR_BND_OFFSET + BND_SIZE*3)(%rsp), %bnd3 -# else - .byte 0x66,0x0f,0x1a,0x84,0x24;.long (LR_BND_OFFSET) - .byte 0x66,0x0f,0x1a,0x8c,0x24;.long (LR_BND_OFFSET + BND_SIZE) - .byte 0x66,0x0f,0x1a,0x94,0x24;.long (LR_BND_OFFSET + BND_SIZE*2) - .byte 0x66,0x0f,0x1a,0x9c,0x24;.long (LR_BND_OFFSET + BND_SIZE*3) -# endif -#endif - #ifdef RESTORE_AVX /* Check if any xmm0-xmm7 registers are changed by audit module. */ @@ -154,8 +140,24 @@ 1: #endif + +#ifndef __ILP32__ +# ifdef HAVE_MPX_SUPPORT + bndmov (LR_BND_OFFSET)(%rsp), %bnd0 # Restore bound + bndmov (LR_BND_OFFSET + BND_SIZE)(%rsp), %bnd1 # registers. + bndmov (LR_BND_OFFSET + BND_SIZE*2)(%rsp), %bnd2 + bndmov (LR_BND_OFFSET + BND_SIZE*3)(%rsp), %bnd3 +# else + .byte 0x66,0x0f,0x1a,0x84,0x24;.long (LR_BND_OFFSET) + .byte 0x66,0x0f,0x1a,0x8c,0x24;.long (LR_BND_OFFSET + BND_SIZE) + .byte 0x66,0x0f,0x1a,0x94,0x24;.long (LR_BND_OFFSET + BND_SIZE*2) + .byte 0x66,0x0f,0x1a,0x9c,0x24;.long (LR_BND_OFFSET + BND_SIZE*3) +# endif +#endif + mov 16(%rbx), %R10_LP # Anything in framesize? test %R10_LP, %R10_LP + PRESERVE_BND_REGS_PREFIX jns 3f /* There's nothing in the frame size, so there @@ -174,6 +176,7 @@ addq $48, %rsp # Adjust the stack to the return value # (eats the reloc index and link_map) cfi_adjust_cfa_offset(-48) + PRESERVE_BND_REGS_PREFIX jmp *%r11 # Jump to function address. 3: @@ -200,6 +203,7 @@ movq 32(%rdi), %rsi movq 40(%rdi), %rdi + PRESERVE_BND_REGS_PREFIX call *%r11 mov 24(%rbx), %rsp # Drop the copied stack content @@ -280,11 +284,11 @@ #ifndef __ILP32__ # ifdef HAVE_MPX_SUPPORT - bndmov LRV_BND0_OFFSET(%rcx), %bnd0 # Restore bound registers. - bndmov LRV_BND1_OFFSET(%rcx), %bnd1 + bndmov LRV_BND0_OFFSET(%rsp), %bnd0 # Restore bound registers. + bndmov LRV_BND1_OFFSET(%rsp), %bnd1 # else - .byte 0x66,0x0f,0x1a,0x81;.long (LRV_BND0_OFFSET) - .byte 0x66,0x0f,0x1a,0x89;.long (LRV_BND1_OFFSET) + .byte 0x66,0x0f,0x1a,0x84,0x24;.long (LRV_BND0_OFFSET) + .byte 0x66,0x0f,0x1a,0x8c,0x24;.long (LRV_BND1_OFFSET) # endif #endif @@ -299,6 +303,7 @@ addq $48, %rsp # Adjust the stack to the return value # (eats the reloc index and link_map) cfi_adjust_cfa_offset(-48) + PRESERVE_BND_REGS_PREFIX retq #ifdef MORE_CODE