Skip to content

Support for stack protection #205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Sep 18, 2022
Merged

Support for stack protection #205

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2f0b503
Support for stack protection
apolukhin Sep 17, 2022
a6e3302
fix
apolukhin Sep 18, 2022
f96d65b
fix again
apolukhin Sep 18, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions doc/stack.qbk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -364,4 +364,13 @@ when linking against Boost binaries.
[endsect]


[section:stack_protect Support for stack protection]

Compiler switch `-fstack-protector` changes the default context switching logic.
Users must define `BOOST_CONTEXT_TLS_STACK_PROTECTOR` before including any
Boost.Context headers if stack protection is enabled.

[endsect]


[endsect]
44 changes: 27 additions & 17 deletions src/asm/jump_i386_sysv_elf_gas.S
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,14 @@
* ---------------------------------------------------------------------------------- *
* | 0x0 | 0x4 | 0x8 | 0xc | 0x10 | 0x14 | 0x18 | 0x1c | *
* ---------------------------------------------------------------------------------- *
* | fc_mxcsr|fc_x87_cw| EDI | ESI | EBX | EBP | EIP | hidden | *
* | fc_mxcsr|fc_x87_cw| guard | EDI | ESI | EBX | EBP | EIP | *
* ---------------------------------------------------------------------------------- *
* ---------------------------------------------------------------------------------- *
* | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | *
* ---------------------------------------------------------------------------------- *
* | 0x20 | 0x24 | | *
* | 0x20 | 0x24 | 0x28 | | *
* ---------------------------------------------------------------------------------- *
* | to | data | | *
* | hidden | to | data | | *
* ---------------------------------------------------------------------------------- *
* *
****************************************************************************************/
Expand All @@ -30,50 +30,60 @@
.align 2
.type jump_fcontext,@function
jump_fcontext:
leal -0x18(%esp), %esp /* prepare stack */
leal -0x1c(%esp), %esp /* prepare stack */

#if !defined(BOOST_USE_TSX)
stmxcsr (%esp) /* save MMX control- and status-word */
fnstcw 0x4(%esp) /* save x87 control-word */
#endif

movl %edi, 0x8(%esp) /* save EDI */
movl %esi, 0xc(%esp) /* save ESI */
movl %ebx, 0x10(%esp) /* save EBX */
movl %ebp, 0x14(%esp) /* save EBP */
#if defined(BOOST_CONTEXT_TLS_STACK_PROTECTOR)
movl %gs:0x14, %ecx /* read stack guard from TLS record */
movl %ecx, 0x8(%esp) /* save stack guard */
#endif

movl %edi, 0xc(%esp) /* save EDI */
movl %esi, 0x10(%esp) /* save ESI */
movl %ebx, 0x14(%esp) /* save EBX */
movl %ebp, 0x18(%esp) /* save EBP */

/* store ESP (pointing to context-data) in ECX */
movl %esp, %ecx

/* first arg of jump_fcontext() == fcontext to jump to */
movl 0x20(%esp), %eax
movl 0x24(%esp), %eax

/* second arg of jump_fcontext() == data to be transferred */
movl 0x24(%esp), %edx
movl 0x28(%esp), %edx

/* restore ESP (pointing to context-data) from EAX */
movl %eax, %esp

/* address of returned transport_t */
movl 0x1c(%esp), %eax
movl 0x20(%esp), %eax
/* return parent fcontext_t */
movl %ecx, (%eax)
/* return data */
movl %edx, 0x4(%eax)

movl 0x18(%esp), %ecx /* restore EIP */
movl 0x1c(%esp), %ecx /* restore EIP */

#if !defined(BOOST_USE_TSX)
ldmxcsr (%esp) /* restore MMX control- and status-word */
fldcw 0x4(%esp) /* restore x87 control-word */
#endif

movl 0x8(%esp), %edi /* restore EDI */
movl 0xc(%esp), %esi /* restore ESI */
movl 0x10(%esp), %ebx /* restore EBX */
movl 0x14(%esp), %ebp /* restore EBP */
#if defined(BOOST_CONTEXT_TLS_STACK_PROTECTOR)
movl 0x8(%esp), %edx /* load stack guard */
movl %edx, %gs:0x14 /* restore stack guard to TLS record */
#endif

movl 0xc(%esp), %edi /* restore EDI */
movl 0x10(%esp), %esi /* restore ESI */
movl 0x14(%esp), %ebx /* restore EBX */
movl 0x18(%esp), %ebp /* restore EBP */

leal 0x20(%esp), %esp /* prepare stack */
leal 0x24(%esp), %esp /* prepare stack */

/* jump to context */
jmp *%ecx
Expand Down
51 changes: 34 additions & 17 deletions src/asm/jump_x86_64_sysv_elf_gas.S
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,21 @@
* ---------------------------------------------------------------------------------- *
* | 0x0 | 0x4 | 0x8 | 0xc | 0x10 | 0x14 | 0x18 | 0x1c | *
* ---------------------------------------------------------------------------------- *
* | fc_mxcsr|fc_x87_cw| R12 | R13 | R14 | *
* | fc_mxcsr|fc_x87_cw| guard | R12 | R13 | *
* ---------------------------------------------------------------------------------- *
* ---------------------------------------------------------------------------------- *
* | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | *
* ---------------------------------------------------------------------------------- *
* | 0x20 | 0x24 | 0x28 | 0x2c | 0x30 | 0x34 | 0x38 | 0x3c | *
* ---------------------------------------------------------------------------------- *
* | R15 | RBX | RBP | RIP | *
* | R14 | R15 | RBX | RBP | *
* ---------------------------------------------------------------------------------- *
* ---------------------------------------------------------------------------------- *
* | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | *
* ---------------------------------------------------------------------------------- *
* | 0x40 | 0x44 | | *
* ---------------------------------------------------------------------------------- *
* | RIP | | *
* ---------------------------------------------------------------------------------- *
* *
****************************************************************************************/
Expand All @@ -35,41 +42,51 @@
.align 16
jump_fcontext:
_CET_ENDBR
leaq -0x38(%rsp), %rsp /* prepare stack */
leaq -0x40(%rsp), %rsp /* prepare stack */

#if !defined(BOOST_USE_TSX)
stmxcsr (%rsp) /* save MMX control- and status-word */
fnstcw 0x4(%rsp) /* save x87 control-word */
#endif

movq %r12, 0x8(%rsp) /* save R12 */
movq %r13, 0x10(%rsp) /* save R13 */
movq %r14, 0x18(%rsp) /* save R14 */
movq %r15, 0x20(%rsp) /* save R15 */
movq %rbx, 0x28(%rsp) /* save RBX */
movq %rbp, 0x30(%rsp) /* save RBP */
#if defined(BOOST_CONTEXT_TLS_STACK_PROTECTOR)
movq %fs:0x28, %rcx /* read stack guard from TLS record */
movq %rcx, 0x8(%rsp) /* save stack guard */
#endif

movq %r12, 0x10(%rsp) /* save R12 */
movq %r13, 0x18(%rsp) /* save R13 */
movq %r14, 0x20(%rsp) /* save R14 */
movq %r15, 0x28(%rsp) /* save R15 */
movq %rbx, 0x30(%rsp) /* save RBX */
movq %rbp, 0x38(%rsp) /* save RBP */

/* store RSP (pointing to context-data) in RAX */
movq %rsp, %rax

/* restore RSP (pointing to context-data) from RDI */
movq %rdi, %rsp

movq 0x38(%rsp), %r8 /* restore return-address */
movq 0x40(%rsp), %r8 /* restore return-address */

#if !defined(BOOST_USE_TSX)
ldmxcsr (%rsp) /* restore MMX control- and status-word */
fldcw 0x4(%rsp) /* restore x87 control-word */
#endif

movq 0x8(%rsp), %r12 /* restore R12 */
movq 0x10(%rsp), %r13 /* restore R13 */
movq 0x18(%rsp), %r14 /* restore R14 */
movq 0x20(%rsp), %r15 /* restore R15 */
movq 0x28(%rsp), %rbx /* restore RBX */
movq 0x30(%rsp), %rbp /* restore RBP */
#if defined(BOOST_CONTEXT_TLS_STACK_PROTECTOR)
movq 0x8(%rsp), %rdx /* load stack guard */
movq %rdx, %fs:0x28 /* restore stack guard to TLS record */
#endif

movq 0x10(%rsp), %r12 /* restore R12 */
movq 0x18(%rsp), %r13 /* restore R13 */
movq 0x20(%rsp), %r14 /* restore R14 */
movq 0x28(%rsp), %r15 /* restore R15 */
movq 0x30(%rsp), %rbx /* restore RBX */
movq 0x38(%rsp), %rbp /* restore RBP */

leaq 0x40(%rsp), %rsp /* prepare stack */
leaq 0x48(%rsp), %rsp /* prepare stack */

/* return transfer_t from jump */
#if !defined(_ILP32)
Expand Down
24 changes: 15 additions & 9 deletions src/asm/make_i386_sysv_elf_gas.S
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,14 @@
* ---------------------------------------------------------------------------------- *
* | 0x0 | 0x4 | 0x8 | 0xc | 0x10 | 0x14 | 0x18 | 0x1c | *
* ---------------------------------------------------------------------------------- *
* | fc_mxcsr|fc_x87_cw| EDI | ESI | EBX | EBP | EIP | hidden | *
* | fc_mxcsr|fc_x87_cw| guard | EDI | ESI | EBX | EBP | EIP | *
* ---------------------------------------------------------------------------------- *
* ---------------------------------------------------------------------------------- *
* | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | *
* ---------------------------------------------------------------------------------- *
* | 0x20 | 0x24 | | *
* | 0x20 | 0x24 | 0x28 | | *
* ---------------------------------------------------------------------------------- *
* | to | data | | *
* | hidden | to | data | | *
* ---------------------------------------------------------------------------------- *
* *
****************************************************************************************/
Expand All @@ -41,22 +41,28 @@ make_fcontext:
andl $-16, %eax

/* reserve space for context-data on context-stack */
leal -0x28(%eax), %eax
leal -0x2c(%eax), %eax

/* third arg of make_fcontext() == address of context-function */
/* stored in EBX */
movl 0xc(%esp), %ecx
movl %ecx, 0x10(%eax)
movl %ecx, 0x14(%eax)

/* save MMX control- and status-word */
stmxcsr (%eax)
/* save x87 control-word */
fnstcw 0x4(%eax)

#if defined(BOOST_CONTEXT_TLS_STACK_PROTECTOR)
/* save stack guard */
movl %gs:0x14, %ecx /* read stack guard from TLS record */
movl %ecx, 0x8(%eax) /* save stack guard */
#endif

/* return transport_t */
/* FCTX == EDI, DATA == ESI */
leal 0x8(%eax), %ecx
movl %ecx, 0x1c(%eax)
leal 0xc(%eax), %ecx
movl %ecx, 0x20(%eax)

/* compute abs address of label trampoline */
call 1f
Expand All @@ -66,7 +72,7 @@ make_fcontext:
addl $trampoline-1b, %ecx
/* save address of trampoline as return address */
/* will be entered after calling jump_fcontext() first time */
movl %ecx, 0x18(%eax)
movl %ecx, 0x1c(%eax)

/* compute abs address of label finish */
call 2f
Expand All @@ -76,7 +82,7 @@ make_fcontext:
addl $finish-2b, %ecx
/* save address of finish as return-address for context-function */
/* will be entered after context-function returns */
movl %ecx, 0x14(%eax)
movl %ecx, 0x18(%eax)

ret /* return pointer to context-data */

Expand Down
25 changes: 19 additions & 6 deletions src/asm/make_x86_64_sysv_elf_gas.S
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,21 @@
* ---------------------------------------------------------------------------------- *
* | 0x0 | 0x4 | 0x8 | 0xc | 0x10 | 0x14 | 0x18 | 0x1c | *
* ---------------------------------------------------------------------------------- *
* | fc_mxcsr|fc_x87_cw| R12 | R13 | R14 | *
* | fc_mxcsr|fc_x87_cw| guard | R12 | R13 | *
* ---------------------------------------------------------------------------------- *
* ---------------------------------------------------------------------------------- *
* | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | *
* ---------------------------------------------------------------------------------- *
* | 0x20 | 0x24 | 0x28 | 0x2c | 0x30 | 0x34 | 0x38 | 0x3c | *
* ---------------------------------------------------------------------------------- *
* | R15 | RBX | RBP | RIP | *
* | R14 | R15 | RBX | RBP | *
* ---------------------------------------------------------------------------------- *
* ---------------------------------------------------------------------------------- *
* | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | *
* ---------------------------------------------------------------------------------- *
* | 0x40 | 0x44 | | *
* ---------------------------------------------------------------------------------- *
* | RIP | | *
* ---------------------------------------------------------------------------------- *
* *
****************************************************************************************/
Expand All @@ -43,28 +50,34 @@ make_fcontext:

/* reserve space for context-data on context-stack */
/* on context-function entry: (RSP -0x8) % 16 == 0 */
leaq -0x40(%rax), %rax
leaq -0x48(%rax), %rax

/* third arg of make_fcontext() == address of context-function */
/* stored in RBX */
movq %rdx, 0x28(%rax)
movq %rdx, 0x30(%rax)

/* save MMX control- and status-word */
stmxcsr (%rax)
/* save x87 control-word */
fnstcw 0x4(%rax)

#if defined(BOOST_CONTEXT_TLS_STACK_PROTECTOR)
/* save stack guard */
movq %fs:0x28, %rcx /* read stack guard from TLS record */
movq %rcx, 0x8(%rsp) /* save stack guard */
#endif

/* compute abs address of label trampoline */
leaq trampoline(%rip), %rcx
/* save address of trampoline as return-address for context-function */
/* will be entered after calling jump_fcontext() first time */
movq %rcx, 0x38(%rax)
movq %rcx, 0x40(%rax)

/* compute abs address of label finish */
leaq finish(%rip), %rcx
/* save address of finish as return-address for context-function */
/* will be entered after context-function returns */
movq %rcx, 0x30(%rax)
movq %rcx, 0x38(%rax)

ret /* return pointer to context-data */

Expand Down
Loading