From b29bfccfbd743c6a3f975a0b53be981613ec5ee3 Mon Sep 17 00:00:00 2001 From: guenther Date: Sun, 7 Aug 2016 02:02:57 +0000 Subject: [PATCH] Add XOR cookies for lr and sp. Stop saving/restoring r12 to/from the jmpbuf. Switch from calling obsolete sig{block,setmask} to directly using the sigprocmask syscall. ok deraadt@ kettenis@ --- lib/libc/arch/arm/gen/_setjmp.S | 50 +++++++++++++--- lib/libc/arch/arm/gen/setjmp.S | 100 ++++++++++++++++++-------------- sys/arch/arm/include/setjmp.h | 48 +++++++-------- 3 files changed, 117 insertions(+), 81 deletions(-) diff --git a/lib/libc/arch/arm/gen/_setjmp.S b/lib/libc/arch/arm/gen/_setjmp.S index 270d924ebf3..adc06de6ee9 100644 --- a/lib/libc/arch/arm/gen/_setjmp.S +++ b/lib/libc/arch/arm/gen/_setjmp.S @@ -1,4 +1,4 @@ -/* $OpenBSD: _setjmp.S,v 1.4 2016/08/06 19:16:09 guenther Exp $ */ +/* $OpenBSD: _setjmp.S,v 1.5 2016/08/07 02:02:57 guenther Exp $ */ /* $NetBSD: _setjmp.S,v 1.5 2003/04/05 23:08:51 bjh21 Exp $ */ /* @@ -36,6 +36,15 @@ #include "DEFS.h" #include + .section .openbsd.randomdata,"aw",%progbits + .align 4 + .globl __jmpxor +__jmpxor: + .zero 4*2 /* (sp, lr) */ + END(__jmpxor) + .type __jmpxor,%object + + /* * C library -- _setjmp, _longjmp * @@ -52,6 +61,13 @@ ENTRY(_setjmp) ldr r1, .L_setjmp_magic str r1, [r0], #4 + ldr r2, .L_jmpxor_setjmp +1: add r2, pc, r2 /* r2 = &__jmpxor */ + ldr r3, [r2], #4 /* r3 = __jmpxor[1] */ + ldr r2, [r2] /* r2 = __jmpxor[0] */ + eor r2, r13, r2 /* r2 = sp ^ __jmpxor[0] */ + eor r3, lr, r3 /* r3 = lr ^ __jmpxor[1] */ + #ifdef SOFTFLOAT add r0, r0, #52 #else @@ -62,13 +78,17 @@ ENTRY(_setjmp) str r1, [r0], #0x0004 #endif /* SOFTFLOAT */ /* Store integer registers */ - stmia r0, {r4-r14} + stmia r0, {r2-r11} - mov r0, #0x00000000 - mov r15, r14 + mov r0, #0x00000000 + mov r2, r0 /* overwrite __jmpxor copies */ + mov r3, r0 + mov pc, lr .L_setjmp_magic: .word _JB_MAGIC__SETJMP +.L_jmpxor_setjmp: + .word __jmpxor - 1b END_STRONG(_setjmp) ENTRY(_longjmp) @@ -86,19 +106,31 @@ ENTRY(_longjmp) ldr r4, [r0], #0x0004 wfs r4 #endif /* SOFTFLOAT */ - /* Restore integer registers */ - ldmia r0, {r4-r14} + /* Restore integer registers */ + ldmia r0, {r2-r11} - /* Validate sp and r14 */ + ldr r0, .L_jmpxor_longjmp +1: add r0, pc, r0 /* r0 = &__jmpxor */ + ldr lr, [r0], #4 /* lr = __jmpxor[1] */ + eor lr, r3, lr /* lr ^= jmpbuf[LR] */ + ldr r0, [r0] /* r0 = __jmpxor[0] */ + eor r13, r0, r2 /* sp = __jmpxor[0] ^ jmpbuf[SP] */ + mov r2, r1 /* overwrite __jmpxor copies */ + mov r3, r1 + + /* Validate sp and lr */ teq sp, #0 - teqne r14, #0 + teqne lr, #0 beq botch /* Set return value */ mov r0, r1 teq r0, #0x00000000 moveq r0, #0x00000001 - mov r15, r14 + mov pc, lr + +.L_jmpxor_longjmp: + .word __jmpxor - 1b /* validation failed, die die die. */ botch: diff --git a/lib/libc/arch/arm/gen/setjmp.S b/lib/libc/arch/arm/gen/setjmp.S index 044b29ef02e..7edb8b3d7f7 100644 --- a/lib/libc/arch/arm/gen/setjmp.S +++ b/lib/libc/arch/arm/gen/setjmp.S @@ -1,4 +1,4 @@ -/* $OpenBSD: setjmp.S,v 1.5 2016/08/06 19:16:09 guenther Exp $ */ +/* $OpenBSD: setjmp.S,v 1.6 2016/08/07 02:02:57 guenther Exp $ */ /* $NetBSD: setjmp.S,v 1.5 2003/04/05 23:08:51 bjh21 Exp $ */ /* @@ -33,9 +33,11 @@ * SUCH DAMAGE. */ -#include "DEFS.h" +#include "SYS.h" #include + .hidden __jmpxor + /* * C library -- setjmp, longjmp * @@ -48,36 +50,45 @@ ENTRY(setjmp) /* Block all signals and retrieve the old signal mask */ - stmfd sp!, {r0, r14} - mov r0, #0x00000000 - - bl _HIDDEN(sigblock) - mov r1, r0 - - ldmfd sp!, {r0, r14} + mov r2, r0 + mov r1, #0x00000000 + mov r0, #0x00000001 /* SIG_BLOCK */ + SYSTRAP(sigprocmask) /* Store signal mask */ - str r1, [r0, #(25 * 4)] + str r0, [r2, #(25 * 4)] ldr r1, .Lsetjmp_magic - str r1, [r0], #4 + str r1, [r2], #4 + + ldr r12, .L_jmpxor_setjmp +1: add r12, pc, r12 /* r12 = &__jmpxor */ + ldr r3, [r12], #4 /* r3 = __jmpxor[1] */ + ldr r12, [r12] /* r12 = __jmpxor[0] */ + eor r12, r13, r12 /* r12 = sp ^ __jmpxor[0] */ + eor r3, lr, r3 /* r3 = lr ^ __jmpxor[1] */ #ifdef SOFTFLOAT - add r0, r0, #52 + add r2, r2, #52 #else /* Store fp registers */ - sfm f4, 4, [r0], #48 + sfm f4, 4, [r2], #48 /* Store fpsr */ rfs r1 - str r1, [r0], #0x0004 + str r1, [r2], #0x0004 #endif /*SOFTFLOAT*/ /* Store integer registers */ - stmia r0, {r4-r14} - mov r0, #0x00000000 - mov r15, r14 + stmia r2, {r3-r12} + + mov r0, #0x00000000 + mov r12, r0 /* overwrite __jmpxor copies */ + mov r3, r0 + mov pc, lr .Lsetjmp_magic: .word _JB_MAGIC_SETJMP +.L_jmpxor_setjmp: + .word __jmpxor - 1b END_STRONG(setjmp) @@ -87,47 +98,48 @@ ENTRY(longjmp) teq r2, r3 bne botch - /* Fetch signal mask */ - ldr r2, [r0, #(25 * 4)] + /* Fetch signal mask and call sigprocmask */ + mov r3, r0 /* r3 = jmpbuf */ + mov r2, r1 /* r2 = retvalue */ + ldr r1, [r0, #(25 * 4)] + mov r0, #0x00000003 /* SIG_SETMASK */ + SYSTRAP(sigprocmask) - /* Set signal mask */ - stmfd sp!, {r0, r1, r14} - sub sp, sp, #4 /* align the stack */ - - mov r0, r2 - bl _HIDDEN(sigsetmask) - - add sp, sp, #4 /* unalign the stack */ - ldmfd sp!, {r0, r1, r14} - - add r0, r0, #4 + add r3, r3, #4 #ifdef SOFTFLOAT - add r0, r0, #52 + add r3, r3, #52 #else /* Restore fp registers */ - lfm f4, 4, [r0], #48 + lfm f4, 4, [r3], #48 /* Restore FPSR */ - ldr r4, [r0], #0x0004 + ldr r4, [r3], #0x0004 wfs r4 #endif /* SOFTFLOAT */ /* Restore integer registers */ - ldmia r0, {r4-r14} - - /* Validate sp and r14 */ + ldmia r3, {r3-r12} + + ldr r0, .L_jmpxor_longjmp +1: add r0, pc, r0 /* r0 = &__jmpxor */ + ldr lr, [r0], #4 /* lr = __jmpxor[1] */ + eor lr, r3, lr /* lr ^= jmpbuf[LR] */ + ldr r0, [r0] /* r0 = __jmpxor[0] */ + eor r13, r0, r12 /* sp = __jmpxor[0] ^ jmpbuf[SP] */ + mov r12, r2 /* overwrite __jmpxor copies */ + mov r3, r2 + + /* Validate sp and lr */ teq sp, #0 - teqne r14, #0 + teqne lr, #0 beq botch /* Set return value */ - - mov r0, r1 + mov r0, r12 teq r0, #0x00000000 moveq r0, #0x00000001 -#ifdef __ARM_26__ - mov r15, r14 -#else - mov r15, r14 -#endif + mov pc, lr + +.L_jmpxor_longjmp: + .word __jmpxor - 1b /* validation failed, die die die. */ botch: diff --git a/sys/arch/arm/include/setjmp.h b/sys/arch/arm/include/setjmp.h index 41624454804..a24c3fb1094 100644 --- a/sys/arch/arm/include/setjmp.h +++ b/sys/arch/arm/include/setjmp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: setjmp.h,v 1.3 2013/02/09 20:52:12 miod Exp $ */ +/* $OpenBSD: setjmp.h,v 1.4 2016/08/07 02:02:57 guenther Exp $ */ /* $NetBSD: setjmp.h,v 1.2 2001/08/25 14:45:59 bjh21 Exp $ */ /* @@ -8,11 +8,6 @@ #define _JBLEN 64 /* size, in longs, of a jmp_buf */ /* - * NOTE: The internal structure of a jmp_buf is *PRIVATE* - * This information is provided as there is software - * that fiddles with this with obtain the stack pointer - * (yes really ! and it's commercial !). - * * Description of the setjmp buffer * * word 0 magic number (dependant on creator) @@ -21,17 +16,17 @@ * 7 - 9 f6 fp register 6 * 10 - 12 f7 fp register 7 * 13 fpsr fp status register - * 14 r4 register 4 - * 15 r5 register 5 - * 16 r6 register 6 - * 17 r7 register 7 - * 18 r8 register 8 - * 19 r9 register 9 - * 20 r10 register 10 (sl) - * 21 r11 register 11 (fp) - * 22 r12 register 12 (ip) - * 23 r13 register 13 (sp) - * 24 r14 register 14 (lr) + * 14 r13 register 13 (sp) XOR cookie0 + * 15 r14 register 14 (lr) XOR cookie1 + * 16 r4 register 4 + * 17 r5 register 5 + * 18 r6 register 6 + * 19 r7 register 7 + * 20 r8 register 8 + * 21 r9 register 9 + * 22 r10 register 10 (sl) + * 23 r11 register 11 (fp) + * 24 unused unused * 25 signal mask (dependant on magic) * 26 (con't) * 27 (con't) @@ -66,17 +61,14 @@ #define _JB_REG_F6 7 #define _JB_REG_F7 10 #define _JB_REG_FPSR 13 -#define _JB_REG_R4 14 -#define _JB_REG_R5 15 -#define _JB_REG_R6 16 -#define _JB_REG_R7 17 -#define _JB_REG_R8 18 -#define _JB_REG_R9 19 -#define _JB_REG_R10 20 -#define _JB_REG_R11 21 -#define _JB_REG_R12 22 -#define _JB_REG_R13 23 -#define _JB_REG_R14 24 +#define _JB_REG_R4 16 +#define _JB_REG_R5 17 +#define _JB_REG_R6 18 +#define _JB_REG_R7 19 +#define _JB_REG_R8 20 +#define _JB_REG_R9 21 +#define _JB_REG_R10 22 +#define _JB_REG_R11 23 /* Only valid with the _JB_MAGIC_SETJMP magic */ -- 2.20.1