VirtualBox

Ignore:
Timestamp:
May 8, 2017 9:02:34 PM (8 years ago)
Author:
vboxsync
svn:sync-xref-src-repo-rev:
115295
Message:

Support/posix: Don't clobber a register when patching relative calls but push the return address onto the stack and use an absolute jump

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/VBox/HostDrivers/Support/posix/SUPR3HardenedMain-posix.cpp

    r66799 r66841  
    369369
    370370    /*
    371      * Each relative call requires 9 extra bytes as it is converted to an absolute one
    372      * using two instructions (push rax + mov rax, qword + call rax + pop rax). */
    373     cbPatchMem += cRelCalls * 9;
     371     * Each relative call requires extra bytes as it is converted to two push imm32
     372     * + a jmp qword [$+8 wrt RIP] to avoid clobbering registers.
     373     */
     374    cbPatchMem += cRelCalls * RT_ALIGN_32(2 * 5 + 6 + 8, 8);
    374375    cbPatchMem += 14; /* jmp qword [$+8 wrt RIP] + 8 byte address to jump to. */
    375376    cbPatchMem = RT_ALIGN_32(cbPatchMem, 8);
     
    453454                 && (Dis.pCurInstr->fOpType & DISOPTYPE_RELATIVE_CONTROLFLOW))
    454455        {
    455             /* Convert to absolute call. */
     456            /* Convert to absolute jump. */
    456457            uintptr_t uAddr = (uintptr_t)&pbTarget[offInsn + cbInstr] + (intptr_t)Dis.Param1.uValue;
    457458
    458             *pbPatchMem++ = 0x50; /* push rax */
    459             *pbPatchMem++ = 0x48; /* mov rax, qword */
    460             *pbPatchMem++ = 0xb8;
     459            /* Skip the first two push instructions till the return address is known. */
     460            uint8_t *pbPatchMemPush = pbPatchMem;
     461            pbPatchMem += 2 * 5;
     462
     463            *pbPatchMem++ = 0xff; /* jmp qword [$+8 wrt RIP] */
     464            *pbPatchMem++ = 0x25;
     465            *(uint32_t *)pbPatchMem = (uint32_t)(RT_ALIGN_PT(pbPatchMem + 4, 8, uint8_t *) - (pbPatchMem + 4));
     466            pbPatchMem = RT_ALIGN_PT(pbPatchMem + 4, 8, uint8_t *);
    461467            *(uint64_t *)pbPatchMem = uAddr;
    462             pbPatchMem   += sizeof(uint64_t);
    463 
    464             *pbPatchMem++ = 0xff; /* call rax */
    465             *pbPatchMem++ = 0xd0;
    466             *pbPatchMem++ = 0x58; /* pop rax */
     468            pbPatchMem += sizeof(uint64_t);
     469
     470            /* Create two pushes now which will put the return address onto the stack. */
     471            uintptr_t uAddrReturn = (uintptr_t)pbPatchMem;
     472            *pbPatchMemPush++ = 0x68; /* push imm32 */
     473            *(uint32_t *)pbPatchMemPush = (uint32_t)uAddrReturn;
     474            pbPatchMemPush   += sizeof(uint32_t);
     475
     476            *pbPatchMemPush++ = 0x68; /* push imm32 */
     477            *(uint32_t *)pbPatchMemPush = (uint32_t)(uAddrReturn >> 32);
     478            pbPatchMemPush   += sizeof(uint32_t);
    467479        }
    468480        else
Note: See TracChangeset for help on using the changeset viewer.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette