In 32bit mode, removed all assembly addressing modes that are incompatible with

trusted_thread_i386.S

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <asm/unistd.h>
 
 
 #define CHECK_SYSCALL_ZERO  test %eax, %eax; jnz fatal_error
 
 
@@ skipping 27 matching lines @@
         // code (by means of sending an IPC to its trusted thread). It goes
         // through the same steps of creating a signal stack frame on the
         // newly created thread's stacks prior to cloning. See clone.cc for
         // details.
         mov  $__NR_clone + 0xF000, %eax
         mov  %esp, %ebp
         int  $0                  // push a signal stack frame (see clone.cc)
         movw %si, %fs
         mov  %esi, 0x4(%esp)     // set up %fs upon call to sigreturn()
         mov  %ebp, 0x1C(%esp)    // pop stack upon call to sigreturn()
-        lea  999f, %ebp
+        call 0f                  // determine %eip for PIC addressing
+      0:pop  %ebp
+        movd %ebp, %mm1
+        add  $(_GLOBAL_OFFSET_TABLE_+(.-0b)), %ebp
+        mov  playground$cloneFdPub@GOT(%ebp), %ebp
+        movd 0(%ebp), %mm3
+        movd %mm1, %ebp
+        add  $(999f-0b), %ebp
         mov  %ebp, 0x38(%esp)    // return address: continue in same thread
         mov  %esp, %ebp
         mov  $2, %ebx            // how     = SIG_SETMASK
         pushl $-1
         pushl $-1
         mov  %esp, %ecx          // set     = full mask
         xor  %edx, %edx          // old_set = NULL
         mov  $8, %esi            // mask all 64 signals
         mov  $__NR_rt_sigprocmask, %eax
         int  $0x80
         CHECK_SYSCALL_ZERO
         mov  $__NR_sigprocmask, %eax
         int  $0x80
         CHECK_SYSCALL_ZERO
         xor  %esp, %esp          // invalidate the stack in all trusted code
         movd %edi, %mm6          // %mm6 = args
         xor  %edi, %edi          // initial sequence number
         movd %edi, %mm2
         jmp  20f                 // create trusted thread
 
         // TODO(markus): Coalesce the read() operations by reading into a
         //               bigger buffer.
 
         // Parameters:
         //   %mm0: thread's side of threadFd
+        //   %mm1: base address used for position independent code
+        //   %mm3: cloneFdPub
         //   %mm5: secure memory region
         //         the page following this one contains the scratch space
 
         // Local variables:
         //   %mm2: sequence number for trusted calls
         //   %mm4: thread id
 
         // Temporary variables:
         //   %ebp: system call number
         //   %mm6: secure memory of previous thread
@@ skipping 35 matching lines @@
         //   0x1C: return value
         //   0x20: RDTSCP result (%eax)
         //   0x24: RDTSCP result (%edx)
         //   0x28: RDTSCP result (%ecx)
         //   0x2C: last system call (updated in syscall.cc)
         //   0x30: number of consecutive calls to a time fnc (e.g.gettimeofday)
         //   0x34: nesting level of system calls (for debugging purposes only)
         //   0x38: signal mask
         //   0x40: in SEGV handler
 
-      0:xor  %esp, %esp
+      1:xor  %esp, %esp
         mov  $2, %eax            // %mm2 = initial sequence number
         movd %eax, %mm2
 
         // Read request from untrusted thread, or from trusted process. In
         // either case, the data that we read has to be considered untrusted.
         // read(threadFd, &scratch, 4)
-      1:mov  $__NR_read, %eax
+      2:mov  $__NR_read, %eax
         movd %mm0, %ebx          // fd  = threadFd
         movd %mm5, %ecx          // secure_mem
         add  $0x1000, %ecx       // buf = &scratch
         mov  $4, %edx            // len = 4
-      2:int  $0x80
+      3:int  $0x80
         cmp  $-4, %eax           // EINTR
-        jz   2b
+        jz   3b
         cmp  %edx, %eax
         jnz  fatal_error
 
         // Retrieve system call number. It is crucial that we only dereference
         // 0x1000(%mm5) exactly once. Afterwards, memory becomes untrusted and
         // we must use the value that we have read the first time.
         mov  0(%ecx), %eax
 
         // If syscall number is -1, execute an unlocked system call from the
         // secure memory area
         cmp  $-1, %eax
         jnz  5f
-      3:movd %mm2, %ebp
+        movd %mm2, %ebp
         cmp  %ebp, 0x4-0x1000(%ecx)
         jne  fatal_error
         cmp  0x08-0x1000(%ecx), %eax
         jne  fatal_error
         mov  0x0C-0x1000(%ecx), %eax
         mov  0x10-0x1000(%ecx), %ebx
         mov  0x18-0x1000(%ecx), %edx
         mov  0x1C-0x1000(%ecx), %esi
         mov  0x20-0x1000(%ecx), %edi
         mov  0x24-0x1000(%ecx), %ebp
@@ skipping 37 matching lines @@
         int  $0x80
         CHECK_SYSCALL_ZERO
         mov  %ebp, 0x54(%ebx)    // set most recently returned SysV shm id
         xor  %ebx, %ebx
 
         // When debugging messages are enabled, warn about expensive system
         // calls
         #ifndef NDEBUG
         movd %mm5, %ecx
         cmpw $0, 0x50(%ecx)      // debug mode
-        jz   27f
+        jz   26f
         mov  $__NR_write, %eax
         mov  $2, %ebx            // fd = stderr
-        lea  101f, %ecx          // "This is an expensive system call"
+        movd %mm1, %ecx
+        add  $(101f-0b), %ecx    // "This is an expensive system call"
         mov  $102f-101f, %edx    // len = strlen(msg)
         int  $0x80
         xor  %ebx, %ebx
         #endif
 
-        jmp  27f                 // exit program, no message
+        jmp  26f                 // exit program, no message
       4:int  $0x80
         jmp  15f                 // return result
 
         // If syscall number is -2, execute locked system call from the
         // secure memory area
       5:jg   12f
         cmp  $-2, %eax
         jnz  9f
         movd %mm2, %ebp
         cmp  %ebp, 0x4-0x1000(%ecx)
         jne  fatal_error
         cmp  %eax, 0x8-0x1000(%ecx)
         jne  fatal_error
 
         // When debugging messages are enabled, warn about expensive system
         // calls
         #ifndef NDEBUG
         cmpw $0, 0x50-0x1000(%ecx)
         jz   6f                  // debug mode
         mov  %ecx, %ebp
         mov  $__NR_write, %eax
         mov  $2, %ebx            // fd = stderr
-        lea  101f, %ecx          // "This is an expensive system call"
+        movd %mm1, %ecx
+        add  $(101f-0b), %ecx    // "This is an expensive system call"
         mov  $102f-101f, %edx    // len = strlen(msg)
         int  $0x80
         mov  %ebp, %ecx
      6:
         #endif
 
         mov  0x0C-0x1000(%ecx), %eax
         mov  0x10-0x1000(%ecx), %ebx
         mov  0x18-0x1000(%ecx), %edx
         mov  0x1C-0x1000(%ecx), %esi
@@ skipping 86 matching lines @@
         cmp  %edx, %eax
         jnz  fatal_error
         mov  %ebp, %eax
         mov  0x00(%ecx), %ebx
         mov  0x08(%ecx), %edx
         mov  0x0C(%ecx), %esi
         mov  0x10(%ecx), %edi
         mov  0x14(%ecx), %ebp
         mov  0x04(%ecx), %ecx
         cmp  $__NR_exit_group, %eax
-        jz   27f                 // exit program, no message
+        jz   26f                 // exit program, no message
         int  $0x80
 
         // Return result of system call to sandboxed thread
      15:movd %mm5, %ecx          // secure_mem
         add  $0x101C, %ecx       // buf   = &scratch + 28
         mov  %eax, (%ecx)
         mov  $4, %edx            // len   = 4
      16:movd %mm0, %ebx          // fd    = threadFd
         mov  $__NR_write, %eax
      17:int  $0x80
         cmp  %edx, %eax
-        jz   1b
+        jz   2b
         cmp  $-4, %eax           // EINTR
         jz   17b
         jmp  fatal_error
 
         // NR_exit:
         // Exit trusted thread after cleaning up resources
      18:mov  %edi, %ecx          // secure_mem
         mov  0x68(%ecx), %ebx    // fd     = threadFdPub
         mov  $__NR_close, %eax
         int  $0x80
@@ skipping 70 matching lines @@
         mov  $__NR_socketcall, %eax
         mov  $8, %ebx            // socketpair
         sub  $8, %ebp            // sv       = child_stack
         mov  %ebp, -0x04(%ebp)
         movl $0, -0x08(%ebp)     // protocol = 0
         movl $1, -0x0C(%ebp)     // type     = SOCK_STREAM
         movl $1, -0x10(%ebp)     // domain   = AF_UNIX
         lea  -0x10(%ebp), %ecx
         int  $0x80
         test %eax, %eax
-        jz   28f
+        jz   27f
 
         // If things went wrong, we don't have an (easy) way of signaling
         // the parent. For our purposes, it is sufficient to fail with a
         // fatal error.
         jmp  fatal_error
      21:xor  %ecx, %ecx
         xor  %edx, %edx
         mov  $__NR_waitpid, %eax
         int  $0x80
         cmp  $-4, %eax           // EINTR
@@ skipping 12 matching lines @@
         mov  $1, %edx
         mov  %edx, %ecx          // FUTEX_WAKE
         mov  $__NR_futex, %eax
         int  $0x80
      23:mov  $__NR_exit, %eax
         mov  $1, %ebx            // status = 1
      24:int  $0x80
 fatal_error:
         mov  $__NR_write, %eax
         mov  $2, %ebx            // fd = stderr
-        lea  100f, %ecx          // "Sandbox violation detected"
+        movd %mm1, %ecx
+        add  $(100f-0b), %ecx    // "Sandbox violation detected"
         mov  $101f-100f, %edx    // len = strlen(msg)
         int  $0x80
-     26:mov  $1, %ebx
-     27:mov  $__NR_exit_group, %eax
+     25:mov  $1, %ebx
+     26:mov  $__NR_exit_group, %eax
         jmp  24b
 
         // The first page is mapped read-only for use as securely shared memory
-     28:movd %mm6, %edi          // %edi = old_shared_mem
+     27:movd %mm6, %edi          // %edi = old_shared_mem
         mov  0x44(%edi), %ebx    // addr = secure_mem
         movd %ebx, %mm5          // %mm5 = secure_mem
         movd %mm2, %esi
         cmp  %esi, 4(%edi)
         jne  fatal_error
         mov  $__NR_mprotect, %eax
         mov  $4096, %ecx         // len  = 4096
         mov  $1, %edx            // prot = PROT_READ
         int  $0x80
         CHECK_SYSCALL_ZERO
@@ skipping 12 matching lines @@
         mov  4(%ebp), %eax       // threadFd (on child's stack)
         movd %eax, %mm0          // %mm0  = threadFd
         mov  $__NR_clone, %eax
         mov  $0x850F00, %ebx     // flags = VM|FS|FILES|SIGH|THR|SYSV|UTR
         mov  $1, %ecx            // stack = 1
         cmp  %esi, 4(%edi)
         jne  fatal_error
         int  $0x80
         test %eax, %eax
         js   fatal_error
-        jz   0b                  // invoke trustedThreadFnc()
+        jz   1b                  // invoke trustedThreadFnc()
 
         // Set up thread local storage
         mov  $0x51, %eax         // seg_32bit, limit_in_pages, useable
         mov  %eax, -0x04(%ebp)
         mov  $0xFFFFF, %eax      // limit
         mov  %eax, -0x08(%ebp)
         movd %mm5, %eax
         add  $0x58, %eax
         mov  %eax, -0x0C(%ebp)   // base_addr = &secure_mem.TLS
         mov  %fs, %eax
@@ skipping 22 matching lines @@
 
         // Nascent thread launches a helper that doesn't share any of our
         // resources, except for pages mapped as MAP_SHARED.
         // clone(SIGCHLD, stack=1)
         mov  $__NR_clone, %eax
         mov  $17, %ebx           // flags = SIGCHLD
         mov  $1, %ecx            // stack = 1
         int  $0x80
         test %eax, %eax
         js   fatal_error
-        jne  31f
+        jne  28f
 
         // Use sendmsg() to send to the trusted process the file handles for
         // communicating with the new trusted thread. We also send the address
         // of the secure memory area (for sanity checks) and the thread id.
         cmp  %edx, 4(%edi)
         jne  fatal_error
 
         // 0x00 socketcall:
         //   0x00 socket         (cloneFdPub)
         //   0x04 msg            (%ecx + 0x0C)
@@ skipping 13 matching lines @@
         // 0x34 iov:
         //   0x34 iov_base       (%ecx + 0x24)
         //   0x38 iov_len        ($0x10)
         // 0x3C cmsg:
         //   0x3C cmsg_len       ($0x14)
         //   0x40 cmsg_level     ($1, SOL_SOCKET)
         //   0x44 cmsg_type      ($1, SCM_RIGHTS)
         //   0x48 threadFdPub    (%esi)
         //   0x4C threadFd       (%mm0)
         // 0x50
-        lea  sendmsg_data, %ecx
+        movd %mm1, %ecx
+        add  $(sendmsg_data-0b), %ecx
         xor  %eax, %eax
         mov  %eax, 0x08(%ecx)    // flags
         mov  %eax, 0x0C(%ecx)    // msg_name
         mov  %eax, 0x10(%ecx)    // msg_namelen
         mov  %eax, 0x24(%ecx)    // msg_flags
         inc  %eax
         mov  %eax, 0x18(%ecx)    // msg_iovlen
         mov  %eax, 0x40(%ecx)    // cmsg_level
         mov  %eax, 0x44(%ecx)    // cmsg_type
         movl $0x10, 0x38(%ecx)   // iov_len
         mov  $0x14, %eax
         mov  %eax, 0x20(%ecx)    // msg_controllen
         mov  %eax, 0x3C(%ecx)    // cmsg_len
-        mov  playground$cloneFdPub, %eax  // cloneFdPub
+        movd %mm3, %eax          // cloneFdPub
         mov  %eax, 0x00(%ecx)    // socket
         lea  0x0C(%ecx), %eax
         mov  %eax, 0x04(%ecx)    // msg
         add  $0x18, %eax
         mov  %eax, 0x34(%ecx)    // iov_base
         add  $0x10, %eax
         mov  %eax, 0x14(%ecx)    // msg_iov
         add  $8, %eax
         mov  %eax, 0x1C(%ecx)    // msg_control
         mov  %esi, 0x30(%ecx)    // threadFdPub
         mov  %esi, 0x48(%ecx)    // threadFdPub
         movd %mm5, %eax
         mov  %eax, 0x28(%ecx)    // secure_mem
         movd %mm4, %eax
         mov  %eax, 0x2C(%ecx)    // threadId
         movd %mm0, %eax
         mov  %eax, 0x4C(%ecx)    // threadFd
         mov  $16, %ebx           // sendmsg()
         mov  $__NR_socketcall, %eax
         int  $0x80
-     30:xor  %ebx, %ebx
-        jmp  27b                 // exit process (no error message)
+        xor  %ebx, %ebx
+        jmp  26b                 // exit process (no error message)
 
         // Reap helper
-     31:mov  %eax, %ebx
-     32:lea  -4(%ebp), %ecx
+     28:mov  %eax, %ebx
+     29:lea  -4(%ebp), %ecx
         xor  %edx, %edx
         mov  $__NR_waitpid, %eax
         int  $0x80
         cmp  $-4, %eax           // EINTR
-        jz   32b
+        jz   29b
         mov  -4(%ebp), %eax
         test %eax, %eax
-        jnz  26b                 // exit process (no error message)
+        jnz  25b                 // exit process (no error message)
 
         // Release privileges by entering seccomp mode.
-     33:mov  $__NR_prctl, %eax
+        mov  $__NR_prctl, %eax
         mov  $22, %ebx           // PR_SET_SECCOMP
         mov  $1, %ecx
         int  $0x80
         CHECK_SYSCALL_ZERO
 
         // We can finally start using the stack. Signal handlers no longer pose
         // a threat to us.
         mov  %ebp, %esp
 
         // Back in the newly created sandboxed thread, wait for trusted process
         // to receive request. It is possible for an attacker to make us
         // continue even before the trusted process is done. This is OK. It'll
         // result in us putting stale values into the new thread's TLS. But
         // that data is considered untrusted anyway.
         push %eax
         mov  $1, %edx            // len       = 1
         mov  %esp, %ecx          // buf       = %esp
         mov  %esi, %ebx          // fd        = threadFdPub
-     34:mov  $__NR_read, %eax
+     30:mov  $__NR_read, %eax
         int  $0x80
         cmp  $-4, %eax           // EINTR
-        jz   34b
+        jz   30b
         cmp  %edx, %eax
         jne  fatal_error
         pop  %eax
 
         // Returning to the place where clone() had been called. We rely on
         // using sigreturn() for restoring our registers. The caller already
         // created a signal stack frame and patched the register values
         // with the ones that were in effect prior to calling sandbox_clone().
         mov  $__NR_sigreturn, %eax
         int  $0x80
@@ skipping 11 matching lines @@
 
         .bss
         // Reserve space for sendmsg() data.  This is used in a fork()'d
         // helper process, so in principle this could safely overlap and
         // overwrite other data, but it is such a small amount of memory
         // that it is not worth trying to do that.  The only requirement
         // is that this must be in a MAP_PRIVATE mapping so that an
         // untrusted thread cannot modify the forked subprocess's copy.
 sendmsg_data:
         .space 0x50