Check what happens if we fail to setup the gcs

DavidSpickett · DavidSpickett · commit 3436294db831 · 2025-01-27T12:40:57.000Z
diff --git a/lldb/source/Plugins/ABI/AArch64/ABISysV_arm64.cpp b/lldb/source/Plugins/ABI/AArch64/ABISysV_arm64.cpp
@@ -101,14 +101,21 @@ static Status PushToLinuxGuardedControlStack(addr_t return_addr,
   Status error;
   size_t wrote = thread.GetProcess()->WriteMemory(gcspr_el0, &return_addr,
                                                   sizeof(return_addr), error);
-  if ((wrote != sizeof(return_addr) || error.Fail()))
+  if ((wrote != sizeof(return_addr) || error.Fail())) {
+    // When PrepareTrivialCall fails, the register context is not restored,
+    // unlike when an expression fails to execute. This is arguably a bug,
+    // see https://github.com/llvm/llvm-project/issues/124269.
+    // For now we are handling this here specifically. We can assume this
+    // write will work as the one to decrement the register did.
+    reg_ctx->WriteRegisterFromUnsigned(gcspr_el0_info, gcspr_el0 + 8);
     return Status("Failed to write new Guarded Control Stack entry.");
+  }
 
   Log *log = GetLog(LLDBLog::Expressions);
   LLDB_LOGF(log,
-            "Pushed return address 0x%" PRIx64 "to Guarded Control Stack. "
+            "Pushed return address 0x%" PRIx64 " to Guarded Control Stack. "
             "gcspr_el0 was 0%" PRIx64 ", is now 0x%" PRIx64 ".",
-            return_addr, gcspr_el0 + 8, gcspr_el0);
+            return_addr, gcspr_el0 - 8, gcspr_el0);
 
   // gcspr_el0 will be restored to the original value by lldb-server after
   // the call has finished, which serves as the "pop".
@@ -143,6 +150,18 @@ bool ABISysV_arm64::PrepareTrivialCall(Thread &thread, addr_t sp,
   if (args.size() > 8)
     return false;
 
+  // Do this first, as it's got the most chance of failing (though still very
+  // low).
+  if (GetProcessSP()->GetTarget().GetArchitecture().GetTriple().isOSLinux()) {
+    Status err = PushToLinuxGuardedControlStack(return_addr, reg_ctx, thread);
+    // If we could not manage the GCS, the expression will certainly fail,
+    // and if we just carried on, that failure would be a lot more cryptic.
+    if (err.Fail()) {
+      LLDB_LOGF(log, "Failed to setup Guarded Call Stack: %s", err.AsCString());
+      return false;
+    }
+  }
+
   for (size_t i = 0; i < args.size(); ++i) {
     const RegisterInfo *reg_info = reg_ctx->GetRegisterInfo(
         eRegisterKindGeneric, LLDB_REGNUM_GENERIC_ARG1 + i);
@@ -159,16 +178,6 @@ bool ABISysV_arm64::PrepareTrivialCall(Thread &thread, addr_t sp,
           return_addr))
     return false;
 
-  if (GetProcessSP()->GetTarget().GetArchitecture().GetTriple().isOSLinux()) {
-    Status err = PushToLinuxGuardedControlStack(return_addr, reg_ctx, thread);
-    // If we could not manage the GCS, the expression will certainly fail,
-    // and if we just carried on, that failure would be a lot more cryptic.
-    if (err.Fail()) {
-      LLDB_LOGF(log, "Failed to setup Guarded Call Stack: %s", err.AsCString());
-      return false;
-    }
-  }
-
   // Set "sp" to the requested value
   if (!reg_ctx->WriteRegisterFromUnsigned(
           reg_ctx->GetRegisterInfo(eRegisterKindGeneric,
diff --git a/lldb/test/API/linux/aarch64/gcs/TestAArch64LinuxGCS.py b/lldb/test/API/linux/aarch64/gcs/TestAArch64LinuxGCS.py
@@ -281,12 +281,27 @@ def test_gcs_expression_simple(self):
             substrs=["stopped", "stop reason = breakpoint"],
         )
 
+        # If we fail to setup the GCS entry, we should not leave any of the GCS registers
+        # changed. The last thing we do is write a new GCS entry to memory and
+        # to simulate the failure of that, temporarily point the GCS to the zero page.
+        #
+        # We use the value 8 here because LLDB will decrement it by 8 so it points to
+        # what we think will be an empty entry on the guarded control stack.
+        _, _, original_gcspr = self.check_gcs_registers()
+        self.runCmd("register write gcspr_el0 8")
+        before = self.check_gcs_registers()
+        self.expect(expr_cmd, error=True)
+        self.check_gcs_registers(*before)
+        # Point to the valid shadow stack region again.
+        self.runCmd(f"register write gcspr_el0 {original_gcspr}")
+
         # This time we do need to push to the GCS and having done so, we can
         # return from this expression without causing a fault.
         before = self.check_gcs_registers()
         self.expect(expr_cmd, substrs=["(unsigned long) 1"])
         self.check_gcs_registers(*before)
 
+
     @skipUnlessPlatform(["linux"])
     def test_gcs_expression_disable_gcs(self):
         if not self.isAArch64GCS():
