From: Peter Bergner Date: Tue, 10 Dec 2024 03:41:08 +0000 (-0500) Subject: powerpc64le: ROP changes for the dl-trampoline functions X-Git-Tag: glibc-2.41~383 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4d9a4c02f9327338bb8dc890d26fbbeef956ba1b;p=thirdparty%2Fglibc.git powerpc64le: ROP changes for the dl-trampoline functions Add ROP protection for the _dl_runtime_resolve and _dl_profile_resolve functions. --- diff --git a/sysdeps/powerpc/powerpc64/dl-trampoline.S b/sysdeps/powerpc/powerpc64/dl-trampoline.S index 087ef5b61c..9ec40eac5e 100644 --- a/sysdeps/powerpc/powerpc64/dl-trampoline.S +++ b/sysdeps/powerpc/powerpc64/dl-trampoline.S @@ -33,10 +33,8 @@ a function that makes no calls except for __tls_get_addr and we might be here resolving the __tls_get_addr call. */ .hidden _dl_runtime_resolve -#define INT_PARMS FRAME_MIN_SIZE +#define INT_PARMS FRAME_ROP_SAVE-64 ENTRY (_dl_runtime_resolve, 4) - stdu r1,-FRAME_SIZE(r1) - cfi_adjust_cfa_offset (FRAME_SIZE) std r3,INT_PARMS+0(r1) mr r3,r11 std r4,INT_PARMS+8(r1) @@ -49,16 +47,23 @@ ENTRY (_dl_runtime_resolve, 4) mflr r0 std r8,INT_PARMS+40(r1) /* Store the LR in the LR Save area. */ - std r0,FRAME_SIZE+FRAME_LR_SAVE(r1) + std r0,FRAME_LR_SAVE(r1) cfi_offset (lr, FRAME_LR_SAVE) std r9,INT_PARMS+48(r1) std r10,INT_PARMS+56(r1) +#ifdef __ROP_PROTECT__ + hashst r0,FRAME_ROP_SAVE(r1) +#endif + stdu r1,-FRAME_SIZE(r1) + cfi_adjust_cfa_offset (FRAME_SIZE) bl JUMPTARGET(_dl_fixup) #ifndef SHARED nop #endif +/* Unwind the stack frame, and jump. */ + addi r1,r1,FRAME_SIZE /* Put the registers back. */ - ld r0,FRAME_SIZE+FRAME_LR_SAVE(r1) + ld r0,FRAME_LR_SAVE(r1) ld r10,INT_PARMS+56(r1) ld r9,INT_PARMS+48(r1) ld r8,INT_PARMS+40(r1) @@ -72,10 +77,11 @@ ENTRY (_dl_runtime_resolve, 4) ld r3,INT_PARMS+0(r1) #if _CALL_ELF == 2 /* Restore the caller's TOC in case we jump to a local entry point. */ - ld r2,FRAME_SIZE+FRAME_TOC_SAVE(r1) + ld r2,FRAME_TOC_SAVE(r1) +#endif +#ifdef __ROP_PROTECT__ + hashchk r0,FRAME_ROP_SAVE(r1) #endif -/* Unwind the stack frame, and jump. */ - addi r1,r1,FRAME_SIZE bctr END(_dl_runtime_resolve) #undef FRAME_SIZE @@ -106,7 +112,7 @@ END(_dl_runtime_resolve) +520 r4 +520 r4 +512 r3 +512 r3 return values - +504 free + +504 ROP save slot +496 stackframe +488 lr +480 r1 @@ -168,6 +174,8 @@ END(_dl_runtime_resolve) #if _CALL_ELF == 2 # define FRAME_SIZE 752 # define VR_RTN 608 +# undef FRAME_ROP_SAVE +# define FRAME_ROP_SAVE 504-FRAME_SIZE /* Override the default value. */ #else # define FRAME_SIZE 592 # define VR_RTN 560 @@ -217,6 +225,10 @@ ENTRY (_dl_profile_resolve, 4) std r6,INT_PARMS+24(r1) sldi r4,r4,3 /* index * 24 == PLT offset */ mflr r5 +#ifdef __ROP_PROTECT__ + addi r31,r1,FRAME_SIZE + hashst r5,FRAME_ROP_SAVE(r31) +#endif std r7,INT_PARMS+32(r1) std r8,INT_PARMS+40(r1) /* Store the LR in the LR Save area. */ @@ -359,6 +371,9 @@ L(restoreFXR): ld r31,FRAME_SIZE-8(r1) ld r30,FRAME_SIZE-16(r1) addi r1,r1,FRAME_SIZE +#ifdef __ROP_PROTECT__ + hashchk r0,FRAME_ROP_SAVE(r1) +#endif bctr L(do_pltexit): @@ -389,6 +404,10 @@ L(do_pltexit): lvx v13,r11,r9 L(restoreFXR2): ld r0,FRAME_SIZE+FRAME_LR_SAVE(r1) +#ifdef __ROP_PROTECT__ + addi r4,r1,FRAME_SIZE + hashchk r0,FRAME_ROP_SAVE(r4) +#endif ld r10,INT_PARMS+56(r1) ld r9,INT_PARMS+48(r1) ld r8,INT_PARMS+40(r1) @@ -499,6 +518,9 @@ L(pltexitreturn): ld r30,FRAME_SIZE-16(r1) mtlr r0 ld r1,0(r1) +#ifdef __ROP_PROTECT__ + hashchk r0,FRAME_ROP_SAVE(r1) +#endif blr END(_dl_profile_resolve) #endif