Changeset 93256 in vbox

Timestamp:

Jan 17, 2022 12:14:27 AM (3 years ago)

Author:

vboxsync

Message:

/Config.kmk: Enable /GS for VBOXR3HARDENEDEXE when /guard is also enabled. bugref:10162

Location:

trunk

Files:

• Config.kmk (modified) (1 diff)
• src/VBox/HostDrivers/Support/Makefile.kmk (modified) (3 diffs)
• src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp (modified) (1 diff)

trunk/Config.kmk

@@ -6314 +6314 @@
  TEMPLATE_VBOXR3HARDENEDEXE_SDKS          = VBOX_NTDLL $(TEMPLATE_VBOXR3EXE_SDKS)
  TEMPLATE_VBOXR3HARDENEDEXE_SDKS.x86      = VBOX_WIN_INT64
- TEMPLATE_VBOXR3HARDENEDEXE_LIBS.x86      = \
-        $(PATH_TOOL_$(TEMPLATE_VBOXR3HARDENEDEXE_TOOL.win.x86)_LIB)/chkstk.obj
- TEMPLATE_VBOXR3HARDENEDEXE_CXXFLAGS      = $(filter-out -RTC% -GZ -GS,$(TEMPLATE_VBOXR3EXE_CXXFLAGS)) -GS-
- TEMPLATE_VBOXR3HARDENEDEXE_CXXFLAGS.debug= $(filter-out -RTC% -GZ -GS,$(TEMPLATE_VBOXR3EXE_CXXFLAGS.debug)) -GS- #-O2 -Oy-
- TEMPLATE_VBOXR3HARDENEDEXE_PCHFLAGS      = $(filter-out -RTC% -GZ -GS,$(TEMPLATE_VBOXR3EXE_PCHFLAGS)) -GS-
- TEMPLATE_VBOXR3HARDENEDEXE_PCHFLAGS.debug= $(filter-out -RTC% -GZ -GS,$(TEMPLATE_VBOXR3EXE_PCHFLAGS.debug)) -GS- #-O2 -Oy-
- TEMPLATE_VBOXR3HARDENEDEXE_CFLAGS        = $(filter-out -RTC% -GZ -GS,$(TEMPLATE_VBOXR3EXE_CFLAGS)) -GS-
- TEMPLATE_VBOXR3HARDENEDEXE_CFLAGS.debug  = $(filter-out -RTC% -GZ -GS,$(TEMPLATE_VBOXR3EXE_CFLAGS.debug)) -GS- -O2 -Oy-
+ ifneq ($(VBOX_VCC_LD_GUARD_CF),)
+  TEMPLATE_VBOXR3HARDENEDEXE_CXXFLAGS       = $(filter-out -RTC% -GZ,$(TEMPLATE_VBOXR3EXE_CXXFLAGS))
+  TEMPLATE_VBOXR3HARDENEDEXE_CXXFLAGS.debug = $(filter-out -RTC% -GZ,$(TEMPLATE_VBOXR3EXE_CXXFLAGS.debug)) #-O2 -Oy-
+  TEMPLATE_VBOXR3HARDENEDEXE_PCHFLAGS       = $(filter-out -RTC% -GZ,$(TEMPLATE_VBOXR3EXE_PCHFLAGS))
+  TEMPLATE_VBOXR3HARDENEDEXE_PCHFLAGS.debug = $(filter-out -RTC% -GZ,$(TEMPLATE_VBOXR3EXE_PCHFLAGS.debug)) #-O2 -Oy-
+  TEMPLATE_VBOXR3HARDENEDEXE_CFLAGS         = $(filter-out -RTC% -GZ,$(TEMPLATE_VBOXR3EXE_CFLAGS))
+  TEMPLATE_VBOXR3HARDENEDEXE_CFLAGS.debug   = $(filter-out -RTC% -GZ,$(TEMPLATE_VBOXR3EXE_CFLAGS.debug)) -O2 -Oy-
+ else
+  TEMPLATE_VBOXR3HARDENEDEXE_CXXFLAGS       = $(filter-out -RTC% -GZ -GS,$(TEMPLATE_VBOXR3EXE_CXXFLAGS)) -GS-
+  TEMPLATE_VBOXR3HARDENEDEXE_CXXFLAGS.debug = $(filter-out -RTC% -GZ -GS,$(TEMPLATE_VBOXR3EXE_CXXFLAGS.debug)) -GS- #-O2 -Oy-
+  TEMPLATE_VBOXR3HARDENEDEXE_PCHFLAGS       = $(filter-out -RTC% -GZ -GS,$(TEMPLATE_VBOXR3EXE_PCHFLAGS)) -GS-
+  TEMPLATE_VBOXR3HARDENEDEXE_PCHFLAGS.debug = $(filter-out -RTC% -GZ -GS,$(TEMPLATE_VBOXR3EXE_PCHFLAGS.debug)) -GS- #-O2 -Oy-
+  TEMPLATE_VBOXR3HARDENEDEXE_CFLAGS         = $(filter-out -RTC% -GZ -GS,$(TEMPLATE_VBOXR3EXE_CFLAGS)) -GS-
+  TEMPLATE_VBOXR3HARDENEDEXE_CFLAGS.debug   = $(filter-out -RTC% -GZ -GS,$(TEMPLATE_VBOXR3EXE_CFLAGS.debug)) -GS- -O2 -Oy-
+ endif
  TEMPLATE_VBOXR3HARDENEDEXE_LDFLAGS       = $(TEMPLATE_VBOXR3EXE_LDFLAGS) \
         /DISALLOWLIB:msvcrt$(VBOX_VCC_CRT_TYPE).lib \

trunk/src/VBox/HostDrivers/Support/Makefile.kmk

@@ -438 +438 @@
   ifneq ($(VBOX_VCC_LD_GUARD_CF),)
    SUPR3HardenedStatic_SOURCES.win += \
+        $(SUPR3HardenedStatic_0_OUTDIR)/loadcfg.obj
+   # These are for the /guard option.
+   SUPR3HardenedStatic_SOURCES.win += \
         $(SUPR3HardenedStatic_0_OUTDIR)/loadcfg.obj \
         $(SUPR3HardenedStatic_0_OUTDIR)/gs_cookie.obj \
@@ -443 +446 @@
         $(SUPR3HardenedStatic_0_OUTDIR)/guard_dispatch.obj \
         $(SUPR3HardenedStatic_0_OUTDIR)/guard_xfg_dispatch.obj
+   # These next ones are for supporting the /GS option.  We skip gs_report.obj as it
+   # import lots from kernel32 and we're better of reporting the problem ourselves.
+   SUPR3HardenedStatic_SOURCES.win += \
+        $(SUPR3HardenedStatic_0_OUTDIR)/amdsecgs.obj \
+        $(SUPR3HardenedStatic_0_OUTDIR)/gshandler.obj
 
 $$(SUPR3HardenedStatic_0_OUTDIR)/loadcfg.obj \
@@ -449 +457 @@
 $$(SUPR3HardenedStatic_0_OUTDIR)/guard_dispatch.obj \
 $$(SUPR3HardenedStatic_0_OUTDIR)/guard_xfg_dispatch.obj \
+$$(SUPR3HardenedStatic_0_OUTDIR)/amdsecgs.obj \
+$$(SUPR3HardenedStatic_0_OUTDIR)/gs_report.obj \
+$$(SUPR3HardenedStatic_0_OUTDIR)/gshandler.obj \
         : \
                 $(PATH_TOOL_$(VBOX_VCC_TOOL)_LIB)/libcmt.lib | $$(dir $$@)

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

@@ -485 +485 @@
 }
 
+
+/**
+ * Called when there is some /GS (or maybe /RTCsu) related stack problem.
+ *
+ * We don't want the CRT version living in gshandle.obj, as it uses a lot of
+ * kernel32 imports, we want to report this error ourselves.
+ */
+extern "C" __declspec(noreturn guard(nosspro) guard(nossepi))
+void __cdecl __report_rangecheckfailure(void)
+{
+    supR3HardenedFatal("__report_rangecheckfailure called from %p", ASMReturnAddress());
+}
+
+
+/**
+ * Called when there is some /GS problem has been detected.
+ *
+ * We don't want the CRT version living in gshandle.obj, as it uses a lot of
+ * kernel32 imports, we want to report this error ourselves.
+ */
+extern "C" __declspec(noreturn guard(nosspro) guard(nossepi))
+#ifdef RT_ARCH_X86
+void __cdecl __report_gsfailure(void)
+#else
+void __report_gsfailure(uintptr_t uCookie)
+#endif
+{
+#ifdef RT_ARCH_X86
+    supR3HardenedFatal("__report_gsfailure called from %p", ASMReturnAddress());
+#else
+    supR3HardenedFatal("__report_gsfailure called from %p, cookie=%p", ASMReturnAddress(), uCookie);
+#endif
+}