|
| 1 | +// Copyright 2017 The Rust Project Developers. See the COPYRIGHT |
| 2 | +// file at the top-level directory of this distribution and at |
| 3 | +// http://rust-lang.org/COPYRIGHT. |
| 4 | +// |
| 5 | +// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or |
| 6 | +// http://www.apache.org/licenses/LICENSE-2.0> or the MIT license |
| 7 | +// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your |
| 8 | +// option. This file may not be copied, modified, or distributed |
| 9 | +// except according to those terms. |
| 10 | + |
| 11 | +//! This module defines the `__rust_probestack` intrinsic which is used in the |
| 12 | +//! implementation of "stack probes" on certain platforms. |
| 13 | +//! |
| 14 | +//! The purpose of a stack probe is to provide a static guarantee that if a |
| 15 | +//! thread has a guard page then a stack overflow is guaranteed to hit that |
| 16 | +//! guard page. If a function did not have a stack probe then there's a risk of |
| 17 | +//! having a stack frame *larger* than the guard page, so a function call could |
| 18 | +//! skip over the guard page entirely and then later hit maybe the heap or |
| 19 | +//! another thread, possibly leading to security vulnerabilities such as [The |
| 20 | +//! Stack Clash], for example. |
| 21 | +//! |
| 22 | +//! [The Stack Clash]: https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash |
| 23 | +//! |
| 24 | +//! The `__rust_probestack` is called in the prologue of functions whose stack |
| 25 | +//! size is larger than the guard page, for example larger than 4096 bytes on |
| 26 | +//! x86. This function is then responsible for "touching" all pages relevant to |
| 27 | +//! the stack to ensure that that if any of them are the guard page we'll hit |
| 28 | +//! them guaranteed. |
| 29 | +//! |
| 30 | +//! The precise ABI for how this function operates is defined by LLVM. There's |
| 31 | +//! no real documentation as to what this is, so you'd basically need to read |
| 32 | +//! the LLVM source code for reference. Often though the test cases can be |
| 33 | +//! illuminating as to the ABI that's generated, or just looking at the output |
| 34 | +//! of `llc`. |
| 35 | +//! |
| 36 | +//! Note that `#[naked]` is typically used here for the stack probe because the |
| 37 | +//! ABI corresponds to no actual ABI. |
| 38 | +//! |
| 39 | +//! Finally it's worth noting that at the time of this writing LLVM only has |
| 40 | +//! support for stack probes on x86 and x86_64. There's no support for stack |
| 41 | +//! probes on any other architecture like ARM or PowerPC64. LLVM I'm sure would |
| 42 | +//! be more than welcome to accept such a change! |
| 43 | +
|
| 44 | +#![cfg(not(windows))] // Windows already has builtins to do this |
| 45 | + |
| 46 | +use core::intrinsics; |
| 47 | + |
| 48 | +#[naked] |
| 49 | +#[no_mangle] |
| 50 | +#[cfg(target_arch = "x86_64")] |
| 51 | +pub unsafe extern fn __rust_probestack() { |
| 52 | + // Our goal here is to touch each page between %rsp+8 and %rsp+8-%rax, |
| 53 | + // ensuring that if any pages are unmapped we'll make a page fault. |
| 54 | + // |
| 55 | + // The ABI here is that the stack frame size is located in `%eax`. Upon |
| 56 | + // return we're not supposed to modify `%esp` or `%eax`. |
| 57 | + asm!(" |
| 58 | + lea 8(%rsp),%r11 // rsp before calling this routine -> r11 |
| 59 | +
|
| 60 | + // Main loop, taken in one page increments. We're decrementing r11 by |
| 61 | + // a page each time until there's less than a page remaining. We're |
| 62 | + // guaranteed that this function isn't called unless there's more than a |
| 63 | + // page needed |
| 64 | + 2: |
| 65 | + sub $$0x1000,%r11 |
| 66 | + test %r11,(%r11) |
| 67 | + sub $$0x1000,%rax |
| 68 | + cmp $$0x1000,%rax |
| 69 | + ja 2b |
| 70 | +
|
| 71 | + // Finish up the last remaining stack space requested, getting the last |
| 72 | + // bits out of rax |
| 73 | + sub %rax,%r11 |
| 74 | + test %r11,(%r11) |
| 75 | +
|
| 76 | + // We now know that %r11 is (%rsp + 8 - %rax) so to recover rax |
| 77 | + // we calculate (%rsp + 8) - %r11 which will give us %rax |
| 78 | + lea 8(%rsp),%rax |
| 79 | + sub %r11,%rax |
| 80 | +
|
| 81 | + ret |
| 82 | + "); |
| 83 | + intrinsics::unreachable(); |
| 84 | +} |
| 85 | + |
| 86 | +#[naked] |
| 87 | +#[no_mangle] |
| 88 | +#[cfg(target_arch = "x86")] |
| 89 | +pub unsafe extern fn __rust_probestack() { |
| 90 | + // This is the same as x86_64 above, only translated for 32-bit sizes. Note |
| 91 | + // that on Unix we're expected to restore everything as it was, this |
| 92 | + // function basically can't tamper with anything. |
| 93 | + // |
| 94 | + // The ABI here is the same as x86_64, except everything is 32-bits large. |
| 95 | + asm!(" |
| 96 | + push %ecx |
| 97 | + lea 8(%esp),%ecx |
| 98 | + 2: |
| 99 | + sub $$0x1000,%ecx |
| 100 | + test %ecx,(%ecx) |
| 101 | + sub $$0x1000,%eax |
| 102 | + cmp $$0x1000,%eax |
| 103 | + ja 2b |
| 104 | +
|
| 105 | + sub %eax,%ecx |
| 106 | + test %ecx,(%ecx) |
| 107 | +
|
| 108 | + lea 8(%esp),%eax |
| 109 | + sub %ecx,%eax |
| 110 | + pop %ecx |
| 111 | + ret |
| 112 | + "); |
| 113 | + intrinsics::unreachable(); |
| 114 | +} |
0 commit comments