Fix return address hijack in probing loop (#28119)

When return address hijacking occurs when the target thread is running in the stack probing loop in a method with large frame, the unwinder cannot unwind to the caller frame correctly. That results in a wrong stack slot being patched by the modified return address, leading to corruption of locals of the method being executed. This change fixes the problem by not attempting to hijack a method that's running in prolog.
dotnet · Jan 15, 2021 · fa682a7 · fa682a7
1 parent 3c95aa2
commit fa682a7
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/src/vm/threadsuspend.cpp b/src/vm/threadsuspend.cpp
@@ -6727,6 +6727,17 @@ void HandleGCSuspensionForInterruptedThread(CONTEXT *interruptedContext)
 
         BOOL unused;
 
+#if defined(FEATURE_PAL) && (defined(_TARGET_AMD64_) || defined(_TARGET_X86_))
+        // Stack probing loop that JIT generates in prolog on x64 / x86 Unix for methods with
+        // large frame is not unwindable, so it is not possible to get the return address location
+        // for hijacking.
+        // This is a hotfix for release/3.1 only.
+        if (IsIPInProlog(&codeInfo) && codeInfo.GetFixedStackSize() >= 0x3000)
+        {
+            return;
+        }
+#endif // _TARGET_UNIX_ && (TARGET_AMD64 || TARGET_X86)
+
         if (IsIPInEpilog(interruptedContext, &codeInfo, &unused))
             return;