x86: Check corrupted return address when unwinding stack

If shadow stack is enabled, when unwinding stack, we count how many stack frames we pop to reach the landing pad and adjust shadow stack by the same amount. When counting the stack frame, we compare the return address on normal stack against the return address on shadow stack. If they don't match, return _URC_FATAL_PHASE2_ERROR for the corrupted return address on normal stack. Don't check the return address for 1. Non-catchable exception where exception_class == 0. Process will be terminated. 2. Zero return address which marks the outermost stack frame. 3. Signal stack frame since kernel puts a restore token on shadow stack. * unwind-generic.h (_Unwind_Frames_Increment): Add the EXC argument. * unwind.inc (_Unwind_RaiseException_Phase2): Pass EXC to _Unwind_Frames_Increment. (_Unwind_ForcedUnwind_Phase2): Likewise. * config/i386/shadow-stack-unwind.h (_Unwind_Frames_Increment): Take the EXC argument. Return _URC_FATAL_PHASE2_ERROR if the return address on normal stack doesn't match the return address on shadow stack.

x86: Check corrupted return address when unwinding stack
9072db9d · H.J. Lu · 84807af0 · 9072db9d · 9072db9d · 9072db9d
Commit 9072db9d authored 2 years ago by H.J. Lu
--- a/libgcc/config/i386/shadow-stack-unwind.h
+++ b/libgcc/config/i386/shadow-stack-unwind.h
@@ -54,10 +54,39 @@ see the files COPYING3 and COPYING.RUNTIME respectively.  If not, see
   aligned.  If the original shadow stack is 8 byte aligned, we just
   need to pop 2 slots, one restore token, from shadow stack.  Otherwise,
   we need to pop 3 slots, one restore token + 4 byte padding, from
-   shadow stack.  */
-#ifndef __x86_64__
+   shadow stack.
+
+   When popping a stack frame, we compare the return address on normal
+   stack against the return address on shadow stack.  If they don't match,
+   return _URC_FATAL_PHASE2_ERROR for the corrupted return address on
+   normal stack.  Don't check the return address for
+   1. Non-catchable exception where exception_class == 0.  Process will
+      be terminated.
+   2. Zero return address which marks the outermost stack frame.
+   3. Signal stack frame since kernel puts a restore token on shadow
+      stack.
+ */
 #undef _Unwind_Frames_Increment
-#define _Unwind_Frames_Increment(context, frames)	\
+#ifdef __x86_64__
+#define _Unwind_Frames_Increment(exc, context, frames)	\
+    {							\
+      frames++;						\
+      if (exc->exception_class != 0			\
+	  && _Unwind_GetIP (context) != 0		\
+	  && !_Unwind_IsSignalFrame (context))		\
+	{						\
+	  _Unwind_Word ssp = _get_ssp ();		\
+	  if (ssp != 0)					\
+	    {						\
+	      ssp += 8 * frames;			\
+	      _Unwind_Word ra = *(_Unwind_Word *) ssp;	\
+	      if (ra != _Unwind_GetIP (context))	\
+		return _URC_FATAL_PHASE2_ERROR;		\
+	    }						\
+	}						\
+    }
+#else
+#define _Unwind_Frames_Increment(exc, context, frames)	\
  if (_Unwind_IsSignalFrame (context))			\
    do							\
      {							\
@@ -83,5 +112,19 @@ see the files COPYING3 and COPYING.RUNTIME respectively.  If not, see
      }							\
    while (0);						\
  else							\
-    frames++;
+    {							\
+      frames++;						\
+      if (exc->exception_class != 0			\
+	  && _Unwind_GetIP (context) != 0)		\
+	{						\
+	  _Unwind_Word ssp = _get_ssp ();		\
+	  if (ssp != 0)					\
+	    {						\
+	      ssp += 4 * frames;			\
+	      _Unwind_Word ra = *(_Unwind_Word *) ssp;	\
+	      if (ra != _Unwind_GetIP (context))	\
+		return _URC_FATAL_PHASE2_ERROR;		\
+	    }						\
+	}						\
+    }
 #endif
--- a/libgcc/unwind-generic.h
+++ b/libgcc/unwind-generic.h
@@ -292,6 +292,6 @@ EXCEPTION_DISPOSITION _GCC_specific_handler (PEXCEPTION_RECORD, void *,
 #define _Unwind_Frames_Extra(frames)

 /* Increment frame count.  */
-#define _Unwind_Frames_Increment(context, frames) frames++
+#define _Unwind_Frames_Increment(exc, context, frames) frames++

 #endif /* unwind.h */
--- a/libgcc/unwind.inc
+++ b/libgcc/unwind.inc
@@ -73,7 +73,7 @@ _Unwind_RaiseException_Phase2(struct _Unwind_Exception *exc,
      gcc_assert (!match_handler);

      uw_update_context (context, &fs);
-      _Unwind_Frames_Increment (context, frames);
+      _Unwind_Frames_Increment (exc, context, frames);
    }

  *frames_p = frames;
@@ -191,7 +191,7 @@ _Unwind_ForcedUnwind_Phase2 (struct _Unwind_Exception *exc,
      /* Update cur_context to describe the same frame as fs, and discard
 	 the previous context if necessary.  */
      uw_advance_context (context, &fs);
-      _Unwind_Frames_Increment (context, frames);
+      _Unwind_Frames_Increment (exc, context, frames);
    }

  *frames_p = frames;