diff options
author | H.J. Lu <hjl.tools@gmail.com> | 2018-05-02 06:17:20 -0700 |
---|---|---|
committer | H.J. Lu <hjl.tools@gmail.com> | 2018-05-02 06:17:41 -0700 |
commit | d6cc1829aa31b6fb060f24dffd28aa6705cdd33a (patch) | |
tree | 197e7983f66d43765505f94a5a29d254d27f6d02 /sysdeps/unix/sysv | |
parent | b109fbfe4dd2ca77656157ddaded773e0da630a2 (diff) | |
download | glibc-d6cc1829aa31b6fb060f24dffd28aa6705cdd33a.tar.gz glibc-d6cc1829aa31b6fb060f24dffd28aa6705cdd33a.tar.xz glibc-d6cc1829aa31b6fb060f24dffd28aa6705cdd33a.zip |
x86: Use pad in pthread_unwind_buf to preserve shadow stack register
The pad array in struct pthread_unwind_buf is used by setjmp to save shadow stack register. We assert that size of struct pthread_unwind_buf is no less than offset of shadow stack pointer + shadow stack pointer size. Since functions, like LIBC_START_MAIN, START_THREAD_DEFN as well as these with thread cancellation, call setjmp, but never return after __libc_unwind_longjmp, __libc_unwind_longjmp, which is defined as __libc_longjmp on x86, doesn't need to restore shadow stack register. __libc_longjmp, which is a private interface for thread cancellation implementation in libpthread, is changed to call __longjmp_cancel, instead of __longjmp. __longjmp_cancel is a new internal function in libc, which is similar to __longjmp, but doesn't restore shadow stack register. The compatibility longjmp and siglongjmp in libpthread.so are changed to call __libc_siglongjmp, instead of __libc_longjmp, so that they will restore shadow stack register. Tested with build-many-glibcs.py. Signed-off-by: H.J. Lu <hjl.tools@gmail.com> Reviewed-by: Carlos O'Donell <carlos@redhat.com> * nptl/pthread_create.c (START_THREAD_DEFN): Clear previous handlers after setjmp. * setjmp/longjmp.c (__libc_longjmp): Don't define alias if defined. * sysdeps/unix/sysv/linux/x86/setjmpP.h: Include <libc-pointer-arith.h>. (_JUMP_BUF_SIGSET_BITS_PER_WORD): New. (_JUMP_BUF_SIGSET_NSIG): Changed to 96. (_JUMP_BUF_SIGSET_NWORDS): Changed to use ALIGN_UP and _JUMP_BUF_SIGSET_BITS_PER_WORD. * sysdeps/x86/Makefile (sysdep_routines): Add __longjmp_cancel. * sysdeps/x86/__longjmp_cancel.S: New file. * sysdeps/x86/longjmp.c: Likewise. * sysdeps/x86/nptl/pt-longjmp.c: Likewise.
Diffstat (limited to 'sysdeps/unix/sysv')
-rw-r--r-- | sysdeps/unix/sysv/linux/x86/setjmpP.h | 71 |
1 files changed, 66 insertions, 5 deletions
diff --git a/sysdeps/unix/sysv/linux/x86/setjmpP.h b/sysdeps/unix/sysv/linux/x86/setjmpP.h index c0ed767a0d..6b2608453d 100644 --- a/sysdeps/unix/sysv/linux/x86/setjmpP.h +++ b/sysdeps/unix/sysv/linux/x86/setjmpP.h @@ -20,13 +20,72 @@ #define _SETJMPP_H 1 #include <bits/types/__sigset_t.h> +#include <libc-pointer-arith.h> -/* The biggest signal number + 1. As of kernel 4.14, x86 _NSIG is 64. - Define it to 513 to leave some rooms for future use. */ -#define _JUMP_BUF_SIGSET_NSIG 513 +/* <setjmp/setjmp.h> has + +struct __jmp_buf_tag + { + __jmp_buf __jmpbuf; + int __mask_was_saved; + __sigset_t __saved_mask; + }; + + struct __jmp_buf_tag is 32 bits aligned on i386 and is 64 bits + aligned on x32 and x86-64. __saved_mask is aligned to 32 bits + on i386/x32 without padding and is aligned to 64 bits on x86-64 + with 32 bit padding. + + and <nptl/descr.h> has + +struct pthread_unwind_buf +{ + struct + { + __jmp_buf jmp_buf; + int mask_was_saved; + } cancel_jmp_buf[1]; + + union + { + void *pad[4]; + struct + { + struct pthread_unwind_buf *prev; + struct _pthread_cleanup_buffer *cleanup; + int canceltype; + } data; + } priv; +}; + + struct pthread_unwind_buf is 32 bits aligned on i386 and 64 bits + aligned on x32/x86-64. cancel_jmp_buf is aligned to 32 bits on + i386 and is aligned to 64 bits on x32/x86-64. + + The pad array in struct pthread_unwind_buf is used by setjmp to save + shadow stack register. The usable space in __saved_mask for sigset + and shadow stack pointer: + 1. i386: The 4x4 byte pad array which can be used for 4 byte shadow + stack pointer and maximum 12 byte sigset. + 2. x32: 4 byte padding + the 4x4 byte pad array which can be used + for 8 byte shadow stack pointer and maximum 12 byte sigset. + 3. x86-64: The 4x8 byte pad array which can be used for 8 byte + shadow stack pointer and maximum 24 byte sigset. + + NB: We use setjmp in thread cancellation and this saves the shadow + stack register, but __libc_unwind_longjmp doesn't restore the shadow + stack register since cancellation never returns after longjmp. */ + +/* Number of bits per long. */ +#define _JUMP_BUF_SIGSET_BITS_PER_WORD (8 * sizeof (unsigned long int)) +/* The biggest signal number. As of kernel 4.14, x86 _NSIG is 64. The + common maximum sigset for i386, x32 and x86-64 is 12 bytes (96 bits). + Define it to 96 to leave some rooms for future use. */ +#define _JUMP_BUF_SIGSET_NSIG 96 /* Number of longs to hold all signals. */ #define _JUMP_BUF_SIGSET_NWORDS \ - ((_JUMP_BUF_SIGSET_NSIG - 1 + 7) / (8 * sizeof (unsigned long int))) + (ALIGN_UP (_JUMP_BUF_SIGSET_NSIG, _JUMP_BUF_SIGSET_BITS_PER_WORD) \ + / _JUMP_BUF_SIGSET_BITS_PER_WORD) typedef struct { @@ -39,7 +98,9 @@ typedef union struct { __jmp_buf_sigset_t __saved_mask; - /* Used for shadow stack pointer. */ + /* Used for shadow stack pointer. NB: Shadow stack pointer + must have the same alignment as __saved_mask. Otherwise + offset of __saved_mask will be changed. */ unsigned long int __shadow_stack_pointer; } __saved; } __jmpbuf_arch_t; |