Date: Sat, 14 Dec 2002 17:29:33 +0100 (CET) From: Torbjorn Granlund <tege@swox.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: i386/46258: PLT code causes skewed return hint stack Message-ID: <20021214162933.50E3D491@king.swox.se>
next in thread | raw e-mail | index | archive | help
>Number: 46258 >Category: i386 >Synopsis: PLT code causes skewed return hint stack >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat Dec 14 08:30:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: Torbjorn Granlund >Release: FreeBSD 4.7-RELEASE i386 >Organization: Swox AB >Environment: System: FreeBSD king.swox.se 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Wed Nov 13 18:18:04 CET 2002 tege@king.swox.se:/usr/src/sys/compile/KING i386 >Description: Modern x86 processors have internal return address hint stacks. To avoid confusing them, it is important to pair calls and returns. PIC code sometimes wants the PC value, and using a call improperly here can confuse the return hint stack. The FreeBSD PLT code looks to me as another example of such code. Ideally, a jmp should be used instead for the ret to jump to the target routine. Hmm, can we really do that, there isn't a place to store the target address? If using a jmp is impossible, we could live with getting one return hint stack miss, but we don't want the entire hint stack to become skewed. Shouldn't the code look like the following instead? _rtld_bind_start: pushf # Save eflags pushl %eax # Save %eax pushl %edx # Save %edx pushl %ecx # Save %ecx pushl 20(%esp) # Copy reloff argument pushl 20(%esp) # Copy obj argument call _rtld_bind@PLT # Transfer control to the binder /* Now %eax contains the entry point of the function being called. */ call 1f 1: addl $12,%esp # Discard binder arguments and L1 addr movl %eax,20(%esp) # Store target over obj argument popl %ecx # Restore %ecx popl %edx # Restore %edx popl %eax # Restore %eax popf # Restore eflags leal 4(%esp),%esp # Discard reloff, do not change eflags ret # "Return" to target address >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021214162933.50E3D491>