From owner-freebsd-bugs Sat Dec 14 8:30: 5 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A45F337B401 for ; Sat, 14 Dec 2002 08:30:02 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA08A43EDA for ; Sat, 14 Dec 2002 08:30:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id gBEGU1x3014070 for ; Sat, 14 Dec 2002 08:30:01 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id gBEGU1tM014069; Sat, 14 Dec 2002 08:30:01 -0800 (PST) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8974837B401 for ; Sat, 14 Dec 2002 08:29:35 -0800 (PST) Received: from king.swox.se (king.swox.se [212.247.3.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id DABF243ED1 for ; Sat, 14 Dec 2002 08:29:34 -0800 (PST) (envelope-from tege@swox.se) Received: by king.swox.se (Postfix, from userid 1001) id 50E3D491; Sat, 14 Dec 2002 17:29:33 +0100 (CET) Message-Id: <20021214162933.50E3D491@king.swox.se> Date: Sat, 14 Dec 2002 17:29:33 +0100 (CET) From: Torbjorn Granlund Reply-To: Torbjorn Granlund To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: i386/46258: PLT code causes skewed return hint stack Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 46258 >Category: i386 >Synopsis: PLT code causes skewed return hint stack >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat Dec 14 08:30:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: Torbjorn Granlund >Release: FreeBSD 4.7-RELEASE i386 >Organization: Swox AB >Environment: System: FreeBSD king.swox.se 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Wed Nov 13 18:18:04 CET 2002 tege@king.swox.se:/usr/src/sys/compile/KING i386 >Description: Modern x86 processors have internal return address hint stacks. To avoid confusing them, it is important to pair calls and returns. PIC code sometimes wants the PC value, and using a call improperly here can confuse the return hint stack. The FreeBSD PLT code looks to me as another example of such code. Ideally, a jmp should be used instead for the ret to jump to the target routine. Hmm, can we really do that, there isn't a place to store the target address? If using a jmp is impossible, we could live with getting one return hint stack miss, but we don't want the entire hint stack to become skewed. Shouldn't the code look like the following instead? _rtld_bind_start: pushf # Save eflags pushl %eax # Save %eax pushl %edx # Save %edx pushl %ecx # Save %ecx pushl 20(%esp) # Copy reloff argument pushl 20(%esp) # Copy obj argument call _rtld_bind@PLT # Transfer control to the binder /* Now %eax contains the entry point of the function being called. */ call 1f 1: addl $12,%esp # Discard binder arguments and L1 addr movl %eax,20(%esp) # Store target over obj argument popl %ecx # Restore %ecx popl %edx # Restore %edx popl %eax # Restore %eax popf # Restore eflags leal 4(%esp),%esp # Discard reloff, do not change eflags ret # "Return" to target address >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message