Fix GH-9068: Conditional jump or move depends on uninitialised value(s)

nielsdos · nielsdos · commit 7227bb638b73 · 2023-01-05T09:54:12.000+01:00
See GH-9068 for analysis. This patch preserves the scratch registers of the SysV x86-64 ABI by storing them on the stack and restoring them later. We need to do this to prevent the registers of the caller from being corrupted. The reason these get corrupted is because the compiler is unaware of the Valgrind replacement function and thus makes assumptions about the original function regarding registers which are not true for the replacement function.
diff --git a/Zend/zend_string.c b/Zend/zend_string.c
@@ -372,11 +372,57 @@ ZEND_API void zend_interned_strings_switch_storage(bool request)
 # define I_REPLACE_SONAME_FNNAME_ZU(soname, fnname) _vgr00000ZU_ ## soname ## _ ## fnname
 #endif
 
-ZEND_API bool ZEND_FASTCALL I_REPLACE_SONAME_FNNAME_ZU(NONE,zend_string_equal_val)(zend_string *s1, zend_string *s2)
+#define VALGRIND_REPLACEMENT_STRING_EQUAL_VAL_MEMCMP_WRAPPER I_REPLACE_SONAME_FNNAME_ZU(NONE,zend_string_equal_val_memcmp_wrapper)
+#define VALGRIND_REPLACEMENT_STRING_EQUAL_VAL I_REPLACE_SONAME_FNNAME_ZU(NONE,zend_string_equal_val)
+#define STR1(X) #X
+#define STR(X) STR1(X)
+
+bool VALGRIND_REPLACEMENT_STRING_EQUAL_VAL_MEMCMP_WRAPPER(zend_string *s1, zend_string *s2)
 {
 	return !memcmp(ZSTR_VAL(s1), ZSTR_VAL(s2), ZSTR_LEN(s1));
 }
 
+#if defined(__GNUC__) && defined(__x86_64__) && !defined(__ILP32__)
+/*
+ * See https://github.com/php/php-src/issues/9068
+ * We need to preserve the scratch registers because we cannot know what
+ * the compiler assumes to be unchanged by the original
+ * zend_string_equal_val implementation.
+ * We can safely use push and pop because we're not in leaf function.
+ * We're using a function defined using inline assembly so that the compiler does not
+ * mess with our store and restore procedure.
+ */
+__asm__ (
+	".globl " STR(VALGRIND_REPLACEMENT_STRING_EQUAL_VAL) "\n\t"
+	".type " STR(VALGRIND_REPLACEMENT_STRING_EQUAL_VAL) ", @function\n\t"
+	STR(VALGRIND_REPLACEMENT_STRING_EQUAL_VAL) ":\n\t"
+	"pushq %rdi\n\t"
+	"pushq %rsi\n\t"
+	"pushq %rdx\n\t"
+	"pushq %rcx\n\t"
+	"pushq %r8\n\t"
+	"pushq %r9\n\t"
+	"pushq %r10\n\t"
+	"pushq %r11\n\t"
+	"callq " STR(VALGRIND_REPLACEMENT_STRING_EQUAL_VAL_MEMCMP_WRAPPER) "\n\t"
+	"popq %r11\n\t"
+	"popq %r10\n\t"
+	"popq %r9\n\t"
+	"popq %r8\n\t"
+	"popq %rcx\n\t"
+	"popq %rdx\n\t"
+	"popq %rsi\n\t"
+	"popq %rdi\n\t"
+	"ret\n\t"
+	".size " STR(VALGRIND_REPLACEMENT_STRING_EQUAL_VAL) ", .-" STR(VALGRIND_REPLACEMENT_STRING_EQUAL_VAL) "\n\t"
+);
+#else
+ZEND_API bool ZEND_FASTCALL VALGRIND_REPLACEMENT_STRING_EQUAL_VAL(zend_string *s1, zend_string *s2)
+{
+	return VALGRIND_REPLACEMENT_STRING_EQUAL_VAL_MEMCMP_WRAPPER(s1, s2);
+}
+#endif
+
 #if defined(__GNUC__) && defined(__i386__)
 ZEND_API bool ZEND_FASTCALL zend_string_equal_val(zend_string *s1, zend_string *s2)
 {
