shithub: dav1d

Download patch

ref: 55cf967bdf6f94d963080f57c34271ef0623f68f
parent: 7b2e145dea7203b40c179c78942d46a2b820d322
author: Martin Storsjö <[email protected]>
date: Wed May 13 18:08:04 EDT 2020 

checkasm: arm64: Take the number of stack arguments into account when checking for stack clobbering


--- a/tests/checkasm/arm/checkasm_64.S
+++ b/tests/checkasm/arm/checkasm_64.S
@@ -121,13 +121,15 @@
         ldp             x16, x17, [x9], #32
         ldp             x8,  x9,  [x9]
 
-        // For stack overflows, we want to check the values immediately
-        // on the stack, which (may) come from arguments - so we can't
-        // place custom values there. Instead just check them as-is
-        // against a reference that is stored inverted (so that a stack
-        // overflow that overwrites everything with the same value will
-        // be noticed).
-        ldr             x2,  [sp]
+        // For stack overflows, the callee is free to overwrite the parameters
+        // that were passed on the stack (if any), so we can only check after
+        // that point. First figure out how many parameters the function
+        // really took on the stack:
+        ldr             w2,  [x29, #16 + 8*8 + (MAX_ARGS-8)*8]
+        // Load the first non-parameter value from the stack, that should be
+        // left untouched by the function. Store a copy of it inverted, so that
+        // e.g. overwriting everything with zero would be noticed.
+        ldr             x2,  [sp, x2, lsl #3]
         mvn             x2,  x2
         str             x2,  [sp, #ARG_STACK-16]
 
@@ -140,8 +142,9 @@
         // Call the target function
         blr             x12
 
-        // Load the stack canary and its reference
-        ldr             x2,  [sp]
+        // Load the number of stack parameters, stack canary and its reference
+        ldr             w2,  [x29, #16 + 8*8 + (MAX_ARGS-8)*8]
+        ldr             x2,  [sp, x2, lsl #3]
         ldr             x3,  [sp, #ARG_STACK-16]
 
         add             sp,  sp,  #ARG_STACK
--- a/tests/checkasm/checkasm.h
+++ b/tests/checkasm/checkasm.h
@@ -235,7 +235,8 @@
 void checkasm_stack_clobber(uint64_t clobber, ...);
 #define declare_new(ret, ...)\
     ret (*checked_call)(void *, int, int, int, int, int, int, int,\
-                        __VA_ARGS__) =\
+                        __VA_ARGS__, int, int, int, int, int, int, int, int,\
+                        int, int, int, int, int, int, int) =\
     (void *)checkasm_checked_call;
 #define CLOB (UINT64_C(0xdeadbeefdeadbeef))
 #define call_new(...)\
@@ -244,7 +245,8 @@
                             CLOB, CLOB, CLOB, CLOB, CLOB, CLOB,\
                             CLOB, CLOB, CLOB, CLOB, CLOB, CLOB,\
                             CLOB, CLOB, CLOB, CLOB, CLOB),\
-     checked_call(func_new, 0, 0, 0, 0, 0, 0, 0, __VA_ARGS__));\
+     checked_call(func_new, 0, 0, 0, 0, 0, 0, 0, __VA_ARGS__,\
+                  7, 6, 5, 4, 3, 2, 1, 0, 0, 0, 0, 0, 0, 0, 0));\
     checkasm_set_signal_handler_state(0)
 #else
 #define declare_new(ret, ...)