Fix decl shrd bug

zyedidia · Nov 29, 2024 · 16d7183 · 16d7183
1 parent 2d45d4d
commit 16d7183
Show file tree

Hide file tree

Showing 9 changed files with 43 additions and 36 deletions.
diff --git a/lfi-leg/amd64/branch.leg b/lfi-leg/amd64/branch.leg
@@ -13,21 +13,15 @@
 Top = Branch | BranchMem | BranchMemSafe | CallTLS | CallInd | CallIndMem | CallIndMemSafe | Call | Ret
 
 CallInd = 'call' 'q'? SEP '*' r:XREG {
-    if (args.poc) {
+    if (!args.poc) {
         mkdirective(".bundle_lock");
         bundle_mask(r.val);
         mkinsn("callq *%s", r.val);
         mkdirective(".bundle_unlock");
         mkdirective(bundle_align());
         mkfuncret();
     } else {
-        // we use r11 here so that we get consistent instruction sizes, so that the nop
-        // has the correct size to align the call to the end of the bundle. In theory,
-        // we could make two CallInds -- one for registers that require a REX prefix and
-        // one for ones that don't.
         mkinsn("movq %s, %%r11", r.val);
-        if (args.bundlecall)
-            mkdirective(bundle_align());
         mkdirective(".bundle_lock");
         bundle_mask("%r11");
         bundle_nop_indcall();
@@ -128,10 +122,18 @@ BranchMemSafe = j:JMP - '*' a:Addr {
 }
 
 Branch = j:JMP '*' r:XREG {
-    mkdirective(".bundle_lock");
-    bundle_mask(r.val);
-    mkinsn("%s *%s", j.val, r.val);
-    mkdirective(".bundle_unlock");
+    if (!args.poc) {
+        mkdirective(".bundle_lock");
+        bundle_mask(r.val);
+        mkinsn("%s *%s", j.val, r.val);
+        mkdirective(".bundle_unlock");
+    } else {
+        mkinsn("movq %s, %%r11", r.val);
+        mkdirective(".bundle_lock");
+        bundle_mask("%r11");
+        mkinsn("%s *%%r11", j.val);
+        mkdirective(".bundle_unlock");
+    }
     rfree(j); rfree(r);
 }
 

diff --git a/lfi-leg/amd64/common.leg b/lfi-leg/amd64/common.leg
@@ -14,7 +14,7 @@ REMAINDER = < (!(EOL | ';') .)* > { $$ = (Result) { .val = strndup(yytext, yylen
 
 IMM = < IMM_RAW > - { $$ = (Result) { .val = strndup(yytext, yyleng) } }
 
-IMM_VAR = < ([-+a-zA-Z0-9_.@]+ | BALANCED_RAW) > { $$ = (Result) { .val = strndup(yytext, yyleng) } }
+IMM_VAR = < ([-+a-zA-Z0-9_.@$]+ | BALANCED_RAW) > { $$ = (Result) { .val = strndup(yytext, yyleng) } }
 
 NUM = < (('0x' [0-9a-fA-F]+) | [0-9]+) > - {
     $$ = (Result) { .val = strndup(yytext, yyleng) };

diff --git a/lfi-leg/amd64/decl.leg b/lfi-leg/amd64/decl.leg
@@ -15,30 +15,34 @@ Top = ShiftInsn | BsInsn
 
 ShiftInsn = (
     (s:ShiftQ SEP '%cl' - COMMA x1:REG COMMA x2:REG) {
-        mkdirective(".bundle_lock");
-        mkinsn("andb $0x3f, %%cl");
+        // Impossible to overflow in this case due to CPU's automatic mask
         mkinsn("%s %%cl, %s, %s", s.val, x1.val, x2.val);
-        mkdirective(".bundle_unlock");
         rfree(x1); rfree(x2);
     }
     | (s:ShiftL SEP '%cl' - COMMA x1:REG COMMA x2:REG) {
         mkdirective(".bundle_lock");
+        mkinsn("movq %%rcx, %%r11");
         mkinsn("andb $0x1f, %%cl");
         mkinsn("%s %%cl, %s, %s", s.val, x1.val, x2.val);
+        mkinsn("movq %%r11, %%rcx");
         mkdirective(".bundle_unlock");
         rfree(x1); rfree(x2);
     }
     | (s:ShiftW SEP '%cl' - COMMA x1:REG COMMA x2:REG) {
         mkdirective(".bundle_lock");
+        mkinsn("movq %%rcx, %%r11");
         mkinsn("andb $0xf, %%cl");
         mkinsn("%s %%cl, %s, %s", s.val, x1.val, x2.val);
+        mkinsn("movq %%r11, %%rcx");
         mkdirective(".bundle_unlock");
         rfree(x1); rfree(x2);
     }
     | (s:ShiftB SEP '%cl' - COMMA x1:REG COMMA x2:REG) {
         mkdirective(".bundle_lock");
+        mkinsn("movq %%rcx, %%r11");
         mkinsn("andb $0x7, %%cl");
         mkinsn("%s %%cl, %s, %s", s.val, x1.val, x2.val);
+        mkinsn("movq %%r11, %%rcx");
         mkdirective(".bundle_unlock");
         rfree(x1); rfree(x2);
     }

diff --git a/lfi-leg/test/amd64/branch.s b/lfi-leg/test/amd64/branch.s
@@ -1,11 +1,10 @@
 call *%rax
 >>>
 .bundle_align_mode 5
-movq %rax, %r11
 .bundle_lock
-andl $0xffffffe0, %r11d
-orq %r14, %r11
-callq *%r11
+andl $0xffffffe0, %eax
+orq %r14, %rax
+callq *%rax
 .bundle_unlock
 .p2align 5
 ------

diff --git a/lfi-leg/test/amd64/bundle16.s b/lfi-leg/test/amd64/bundle16.s
@@ -1,11 +1,10 @@
 call *%rax
 >>>
 .bundle_align_mode 4
-movq %rax, %r11
 .bundle_lock
-andl $0xfffffff0, %r11d
-orq %r14, %r11
-callq *%r11
+andl $0xfffffff0, %eax
+orq %r14, %rax
+callq *%rax
 .bundle_unlock
 .p2align 4
 ------

diff --git a/lfi-leg/test/amd64/bundlejumps.s b/lfi-leg/test/amd64/bundlejumps.s
@@ -1,10 +1,9 @@
 call *%rax
 >>>
 .bundle_align_mode 5
-movq %rax, %r11
 .bundle_lock
-andq $0xffffffffffffffe0, %r11
-callq *%r11
+andq $0xffffffffffffffe0, %rax
+callq *%rax
 .bundle_unlock
 .p2align 5
 ------

diff --git a/lfi-leg/test/amd64/decl.s b/lfi-leg/test/amd64/decl.s
@@ -1,17 +1,16 @@
 shrdq %cl, %rdi, %rax
 >>>
 .bundle_align_mode 5
-.bundle_lock
-andb $0x3f, %cl
 shrdq %cl, %rdi, %rax
-.bundle_unlock
 ------
 shrdl %cl, %edi, %eax
 >>>
 .bundle_align_mode 5
 .bundle_lock
+movq %rcx, %r11
 andb $0x1f, %cl
 shrdl %cl, %edi, %eax
+movq %r11, %rcx
 .bundle_unlock
 ------
 callq *(%rax)

diff --git a/lfi-leg/test/amd64/ldst.s b/lfi-leg/test/amd64/ldst.s
@@ -111,3 +111,8 @@ vextracti128 $0x1, %ymm12, -736(%rbp)
 >>>
 .bundle_align_mode 5
 vextracti128 $0x1, %ymm12, %gs:-736(%ebp)
+------
+movaps %xmm0, _ZN3std3sys3pal4unix14stack_overflow3imp5GUARD29_$u7b$$u7b$constant$u7d$$u7d$28_$u7b$$u7b$closure$u7d$$u7d$3VAL17h5082f51ad7913d78E@TPOFF(%rax)
+>>>
+.bundle_align_mode 5
+movaps %xmm0, %gs:_ZN3std3sys3pal4unix14stack_overflow3imp5GUARD29_$u7b$$u7b$constant$u7d$$u7d$28_$u7b$$u7b$closure$u7d$$u7d$3VAL17h5082f51ad7913d78E@TPOFF(%eax)
diff --git a/lfi-leg/test/amd64/poc.s b/lfi-leg/test/amd64/poc.s
@@ -10,14 +10,14 @@ jmp foo
 callq *%rax
 >>>
 .bundle_align_mode 5
+movq %rax, %r11
 .bundle_lock
-andl $0xffffffe0, %eax
-orq %r14, %rax
-.bundle_lock
-leal 1023f(%rip), %r11d
-pushq %r11
-.bundle_unlock
-jmpq *%rax
+andl $0xffffffe0, %r11d
+orq %r14, %r11
+pushq %rax
+leal 1023f(%rip), %eax
+xchg %rax, (%rsp)
+jmpq *%r11
 .bundle_unlock
 .p2align 5
 1023: