Return stack support

Author: pzieris

debug/Versions

@@ -48,6 +48,7 @@ libc {
   }
   GLIBC_2.11 {
     __longjmp_chk;
+    __safe_longjmp_chk;
   }
   GLIBC_2.15 {
     __fdelt_chk; __fdelt_warn;

debug/longjmp_chk.c

@@ -20,4 +20,9 @@
 #define __longjmp ____longjmp_chk
 #define __libc_siglongjmp __longjmp_chk
 
+#ifdef WITH_RETURN_STACK_SUPPORT
+#define __safe_longjmp ____safe_longjmp_chk
+#define __libc_safe_siglongjmp __safe_longjmp_chk
+#endif
+
 #include <setjmp/longjmp.c>

include/setjmp.h

@@ -7,9 +7,17 @@
 /* Internal machine-dependent function to restore context sans signal mask.  */
 extern void __longjmp (__jmp_buf __env, int __val)
      __attribute__ ((__noreturn__)) attribute_hidden;
+#ifdef WITH_RETURN_STACK_SUPPORT
+extern void __safe_longjmp (__jmp_buf __env, int __val)
+     __attribute__ ((__noreturn__)) attribute_hidden;
+#endif
 
 extern void ____longjmp_chk (__jmp_buf __env, int __val)
      __attribute__ ((__noreturn__)) attribute_hidden;
+#ifdef WITH_RETURN_STACK_SUPPORT
+extern void ____safe_longjmp_chk (__jmp_buf __env, int __val)
+     __attribute__ ((__noreturn__));
+#endif
 
 /* Internal function to possibly save the current mask of blocked signals
    in ENV, and always set the flag saying whether or not it was saved.
@@ -21,12 +29,25 @@ extern void _longjmp_unwind (jmp_buf env, int val);
 
 extern void __libc_siglongjmp (sigjmp_buf env, int val)
 	  __attribute__ ((noreturn));
+#ifdef WITH_RETURN_STACK_SUPPORT
+extern void __libc_safe_siglongjmp (sigjmp_buf env, int val)
+	  __attribute__ ((noreturn));
+#endif
 extern void __libc_longjmp (sigjmp_buf env, int val)
      __attribute__ ((noreturn));
 libc_hidden_proto (__libc_longjmp)
+#ifdef WITH_RETURN_STACK_SUPPORT
+extern void __libc_safe_longjmp (sigjmp_buf env, int val)
+     __attribute__ ((noreturn));
+libc_hidden_proto (__libc_safe_longjmp)
+#endif
 
 libc_hidden_proto (_setjmp)
 libc_hidden_proto (__sigsetjmp)
+#ifdef WITH_RETURN_STACK_SUPPORT
+libc_hidden_proto (_safe_setjmp)
+libc_hidden_proto (__safe_sigsetjmp)
+#endif
 
 # if IS_IN (rtld) && !defined NO_RTLD_HIDDEN
 extern __typeof (__sigsetjmp) __sigsetjmp attribute_hidden;

setjmp/Versions

@@ -2,12 +2,15 @@ libc {
   GLIBC_2.0 {
     # functions with special/multiple interfaces
     _longjmp; __sigsetjmp; _setjmp;
+    _safe_longjmp; __safe_sigsetjmp; _safe_setjmp;
 
     # l*
     longjmp;
+    safe_longjmp;
 
     # s*
     setjmp;
+    safe_setjmp;
   }
   GLIBC_PRIVATE {
     # helper functions

setjmp/longjmp.c

@@ -39,10 +39,35 @@ __libc_siglongjmp (sigjmp_buf env, int val)
   __longjmp (env[0].__jmpbuf, val ?: 1);
 }
 
+#ifdef WITH_RETURN_STACK_SUPPORT
+void
+__libc_safe_siglongjmp (sigjmp_buf env, int val)
+{
+  /* Perform any cleanups needed by the frames being unwound.  */
+  _longjmp_unwind (env, val);
+
+  if (env[0].__mask_was_saved)
+    /* Restore the saved signal mask.  */
+    (void) __sigprocmask (SIG_SETMASK, &env[0].__saved_mask,
+			  (sigset_t *) NULL);
+
+  /* Call the safe version of longjmp to restore the machine state.  */
+  __safe_longjmp (env[0].__jmpbuf, val ?: 1);
+}
+#endif
+
 #ifndef __libc_siglongjmp
 strong_alias (__libc_siglongjmp, __libc_longjmp)
 libc_hidden_def (__libc_longjmp)
+# ifdef WITH_RETURN_STACK_SUPPORT
+strong_alias (__libc_safe_siglongjmp, __libc_safe_longjmp)
+# endif
 weak_alias (__libc_siglongjmp, _longjmp)
 weak_alias (__libc_siglongjmp, longjmp)
 weak_alias (__libc_siglongjmp, siglongjmp)
+# ifdef WITH_RETURN_STACK_SUPPORT
+weak_alias (__libc_safe_siglongjmp, _safe_longjmp)
+weak_alias (__libc_safe_siglongjmp, safe_longjmp)
+weak_alias (__libc_safe_siglongjmp, safe_siglongjmp)
+# endif
 #endif

setjmp/setjmp.c

@@ -33,3 +33,7 @@ __libc_sigsetjmp (jmp_buf env, int savemask)
 
 weak_alias (__libc_sigsetjmp, __sigsetjmp)
 stub_warning (__sigsetjmp)
+#ifdef WITH_RETURN_STACK_SUPPORT
+weak_alias (__libc_sigsetjmp, __safe_sigsetjmp)
+stub_warning (__safe_sigsetjmp)
+#endif

setjmp/setjmp.h

@@ -48,31 +48,66 @@ typedef struct __jmp_buf_tag jmp_buf[1];
    Return 0.  */
 extern int setjmp (jmp_buf __env) __THROWNL;
 
+#ifdef WITH_RETURN_STACK_SUPPORT
+/* Safe version of `setjmp'.  Instead of the return stack pointer,
+   saves the marker into ENV.  */
+extern int safe_setjmp (jmp_buf __env) __THROWNL;
+#endif
+
 /* Store the calling environment in ENV, also saving the
    signal mask if SAVEMASK is nonzero.  Return 0.
    This is the internal name for `sigsetjmp'.  */
 extern int __sigsetjmp (struct __jmp_buf_tag __env[1], int __savemask) __THROWNL;
 
+#ifdef WITH_RETURN_STACK_SUPPORT
+/* Safe version of `__sigsetjmp'.  Instead of the return stack pointer,
+   saves the marker into ENV.  */
+extern int __safe_sigsetjmp (struct __jmp_buf_tag __env[1], int __savemask) __THROWNL;
+#endif
+
 /* Store the calling environment in ENV, not saving the signal mask.
    Return 0.  */
 extern int _setjmp (struct __jmp_buf_tag __env[1]) __THROWNL;
 
+#ifdef WITH_RETURN_STACK_SUPPORT
+/* Safe version of `_setjmp'.  Instead of the return stack pointer,
+   saves the marker into ENV.  */
+extern int _safe_setjmp (struct __jmp_buf_tag __env[1]) __THROWNL;
+#endif
+
 /* Do not save the signal mask.  This is equivalent to the `_setjmp'
    BSD function.  */
 #define setjmp(env)	_setjmp (env)
+#ifdef WITH_RETURN_STACK_SUPPORT
+# define safe_setjmp(env) _safe_setjmp (env)
+#endif
 
 
 /* Jump to the environment saved in ENV, making the
    `setjmp' call there return VAL, or 1 if VAL is 0.  */
 extern void longjmp (struct __jmp_buf_tag __env[1], int __val)
      __THROWNL __attribute__ ((__noreturn__));
 
+#ifdef WITH_RETURN_STACK_SUPPORT
+/* Safe version of `longjmp'.  Restores the return stack pointer by
+   unwinding the return stack until the marker is reached.  */
+extern void safe_longjmp (struct __jmp_buf_tag __env[1], int __val)
+     __THROWNL __attribute__ ((__noreturn__));
+#endif
+
 #if defined __USE_MISC || defined __USE_XOPEN
 /* Same.  Usually `_longjmp' is used with `_setjmp', which does not save
    the signal mask.  But it is how ENV was saved that determines whether
    `longjmp' restores the mask; `_longjmp' is just an alias.  */
 extern void _longjmp (struct __jmp_buf_tag __env[1], int __val)
      __THROWNL __attribute__ ((__noreturn__));
+
+# ifdef WITH_RETURN_STACK_SUPPORT
+/* Safe version of `_longjmp'.  Restores the return stack pointer by
+   unwinding the return stack until the marker is reached.  */
+extern void _safe_longjmp (struct __jmp_buf_tag __env[1], int __val)
+     __THROWNL __attribute__ ((__noreturn__));
+# endif
 #endif
 
 
@@ -86,12 +121,26 @@ typedef struct __jmp_buf_tag sigjmp_buf[1];
    signal mask if SAVEMASK is nonzero.  Return 0.  */
 # define sigsetjmp(env, savemask)	__sigsetjmp (env, savemask)
 
+# ifdef WITH_RETURN_STACK_SUPPORT
+/* Safe version of `sigsetjmp'.  Identical to `sigsetjmp', but instead
+   of the return stack pointer, saves the marker into ENV.  */
+#  define safe_sigsetjmp(env, savemask) __safe_sigsetjmp (env, savemask)
+# endif
+
 /* Jump to the environment saved in ENV, making the
    sigsetjmp call there return VAL, or 1 if VAL is 0.
    Restore the signal mask if that sigsetjmp call saved it.
    This is just an alias `longjmp'.  */
 extern void siglongjmp (sigjmp_buf __env, int __val)
      __THROWNL __attribute__ ((__noreturn__));
+
+# ifdef WITH_RETURN_STACK_SUPPORT
+/* Safe version of `siglongjmp'.  Identical to `siglongjmp', but
+   restores the return stack pointer by unwinding the return stack
+   until the marker is reached.  */
+extern void safe_siglongjmp (sigjmp_buf __env, int __val)
+     __THROWNL __attribute__ ((__noreturn__));
+# endif
 #endif /* Use POSIX.  */
 
 

signal/Versions

@@ -28,6 +28,7 @@ libc {
     sigaction; sigaddset; sigaltstack; sigandset; sigblock; sigdelset;
     sigemptyset; sigfillset; siggetmask; siginterrupt; sigisemptyset;
     sigismember; siglongjmp; signal; sigorset; sigpause; sigpending;
+    safe_siglongjmp;
     sigprocmask; sigreturn; sigsetmask; sigstack; sigsuspend; sigvec;
     sigwait; ssignal;
   }

sysdeps/aarch64/Makefile

@@ -12,3 +12,13 @@ endif
 ifeq ($(subdir),gmon)
 CFLAGS-mcount.c += -mgeneral-regs-only
 endif
+
+ifeq ($(subdir),debug)
+defines += -DWITH_RETURN_STACK_SUPPORT
+sysdep_routines += ____safe_longjmp_chk
+endif
+
+ifeq ($(subdir),setjmp)
+defines += -DWITH_RETURN_STACK_SUPPORT
+sysdep_routines += safe_setjmp __safe_longjmp
+endif

sysdeps/aarch64/__safe_longjmp.S

@@ -0,0 +1,129 @@
+/* Return stack-safe version of longjmp for ARM64.
+
+   Copyright (C) 1997-2018 Free Software Foundation, Inc.
+
+   Return stack support added by
+   Philipp Zieris <[email protected]>
+   Copyright (C) 2018 Fraunhofer AISEC.
+
+   This program is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public License as
+   published by the Free Software Foundation; either version 2.1 of the
+   License, or (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library.  If not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <sysdep.h>
+#include <jmpbuf-offsets.h>
+#include <stap-probe.h>
+
+/* Safe version of __longjmp.  Restores the return stack pointer
+   by unwinding the return stack until the marker is reached.
+   __safe_longjmp(jmpbuf, val) */
+
+ENTRY (__safe_longjmp)
+	cfi_def_cfa(x0, 0)
+	cfi_offset(x19, JB_X19<<3)
+	cfi_offset(x20, JB_X20<<3)
+	cfi_offset(x21, JB_X21<<3)
+	cfi_offset(x22, JB_X22<<3)
+	cfi_offset(x23, JB_X23<<3)
+	cfi_offset(x24, JB_X24<<3)
+	cfi_offset(x25, JB_X25<<3)
+	cfi_offset(x26, JB_X26<<3)
+	cfi_offset(x27, JB_X27<<3)
+	cfi_offset(x29, JB_X29<<3)
+	cfi_offset(x30, JB_LR<<3)
+
+	cfi_offset( d8, JB_D8<<3)
+	cfi_offset( d9, JB_D9<<3)
+	cfi_offset(d10, JB_D10<<3)
+	cfi_offset(d11, JB_D11<<3)
+	cfi_offset(d12, JB_D12<<3)
+	cfi_offset(d13, JB_D13<<3)
+	cfi_offset(d14, JB_D14<<3)
+	cfi_offset(d15, JB_D15<<3)
+
+	DELOUSE (0)
+
+	ldp	x19, x20, [x0, #JB_X19<<3]
+	ldp	x21, x22, [x0, #JB_X21<<3]
+	ldp	x23, x24, [x0, #JB_X23<<3]
+	ldp	x25, x26, [x0, #JB_X25<<3]
+	ldr	x27, [x0, #JB_X27<<3]
+#ifdef PTR_DEMANGLE
+	ldp	x29,  x4, [x0, #JB_X29<<3]
+	PTR_DEMANGLE (30, 4, 3, 2)
+#else
+	ldp	x29, x30, [x0, #JB_X29<<3]
+#endif
+	/* longjmp probe takes 3 arguments, address of jump buffer as
+	   first argument (8@x0), return value as second argument (-4@x1),
+	   and target address (8@x30), respectively.  */
+	LIBC_PROBE (longjmp, 3, 8@x0, -4@x1, 8@x30)
+	ldp	 d8,  d9, [x0, #JB_D8<<3]
+	ldp	d10, d11, [x0, #JB_D10<<3]
+	ldp	d12, d13, [x0, #JB_D12<<3]
+	ldp	d14, d15, [x0, #JB_D14<<3]
+
+        /* Originally this was implemented with a series of
+	   .cfi_restore() directives.
+
+           The theory was that cfi_restore should revert to previous
+           frame value is the same as the current value.  In practice
+           this doesn't work, even after cfi_restore() gdb continues
+           to try to recover a previous frame value offset from x0,
+           which gets stuffed after a few more instructions.  The
+           cfi_same_value() mechanism appears to work fine.  */
+
+	cfi_same_value(x19)
+	cfi_same_value(x20)
+	cfi_same_value(x21)
+	cfi_same_value(x22)
+	cfi_same_value(x23)
+	cfi_same_value(x24)
+	cfi_same_value(x25)
+	cfi_same_value(x26)
+	cfi_same_value(x27)
+	cfi_same_value(x29)
+	cfi_same_value(x30)
+	cfi_same_value(d8)
+	cfi_same_value(d9)
+	cfi_same_value(d10)
+	cfi_same_value(d11)
+	cfi_same_value(d12)
+	cfi_same_value(d13)
+	cfi_same_value(d14)
+	cfi_same_value(d15)
+#ifdef PTR_DEMANGLE
+	ldr	x4, [x0, #JB_SP<<3]
+	PTR_DEMANGLE (5, 4, 3, 2)
+#else
+	ldr	x5, [x0, #JB_SP<<3]
+#endif
+	mov	sp, x5
+  /* Unwind return stack.  */
+  ldr x4, [x0, #JB_MARKER<<3]
+.Lrs_unwind:
+  ldr x5, [x28, #-8]!
+  cmp x4, x5
+  bne .Lrs_unwind
+  add x28, x28, #8
+
+	/* longjmp_target probe takes 3 arguments, address of jump buffer
+	   as first argument (8@x0), return value as second argument (-4@x1),
+	   and target address (8@x30), respectively.  */
+	LIBC_PROBE (longjmp_target, 3, 8@x0, -4@x1, 8@x30)
+	cmp	x1, #0
+	mov	x0, #1
+	csel	x0, x1, x0, ne
+	/* Use br instead of ret because ret is guaranteed to mispredict */
+	br	x30
+END (__safe_longjmp)

sysdeps/aarch64/jmpbuf-offsets.h

@@ -26,6 +26,9 @@
 #define JB_X26            7
 #define JB_X27            8
 #define JB_X28            9
+/* The safe versions of setjmp and longjmp don't need to save X28.  They
+   store the marker at this position instead.  */
+#define JB_MARKER         9
 #define JB_X29           10
 #define JB_LR            11
 #define JB_SP		 13