newlib/libc/machine/x86_64/memcpy.S - Issue 917463003: Avoid writing the sandbox base address to memory in setjmp and memcpy

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: newlib/libc/machine/x86_64/memcpy.S

Issue 917463003: Avoid writing the sandbox base address to memory in setjmp and memcpy (Closed) Base URL: https://chromium.googlesource.com/native_client/nacl-newlib.git@master

Patch Set: Created 5 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: newlib/libc/machine/x86_64/memcpy.S

diff --git a/newlib/libc/machine/x86_64/memcpy.S b/newlib/libc/machine/x86_64/memcpy.S

index 0041d5f52352004a8ee62db454beacf027e79ea5..cf0025247bbc4c27ec8b9b5ea119d72075394183 100644

--- a/newlib/libc/machine/x86_64/memcpy.S

+++ b/newlib/libc/machine/x86_64/memcpy.S

@@ -40,6 +40,19 @@ quadword_aligned:

movl edx, ecx /* Copy 128 bytes at a time with minimum cache polution */

shrl $7, ecx

+ /* Avoid revealing the sandbox base address.

+ * In particular this means that we don't do the following:

+ * movq 32(r15,rsi), r11

+ * ...

+ * movq r11, %nacl:32(r15,rdi)

+ * because the latter instruction might be reached via a direct or

+ * indirect jump when r11 contains the sandbox base address in its

+ * top 32 bits, and this would write the sandbox base address into

+ * memory. We treat r11 as a write-only register to avoid

+ * revealing the sandbox base address to user code.

+ * Instead, we spill rdx and use that.

+ */

+ pushq rdx

.p2align 4

loop:

prefetchnta 768 (r15,rsi)

@@ -49,7 +62,7 @@ loop:

movq %nacl: 8 (r15,rsi), r8

movq %nacl: 16 (r15,rsi), r9

movq %nacl: 24 (r15,rsi), r10

- movq %nacl: 32 (r15,rsi), r11

+ movq %nacl: 32 (r15,rsi), rdx

movq %nacl: 40 (r15,rsi), r12

movq %nacl: 48 (r15,rsi), r13

movq %nacl: 56 (r15,rsi), r14

@@ -58,7 +71,7 @@ loop:

movntiq r8 , %nacl: 8 (r15,rdi)

movntiq r9 , %nacl: 16 (r15,rdi)

movntiq r10, %nacl: 24 (r15,rdi)

- movntiq r11, %nacl: 32 (r15,rdi)

+ movntiq rdx, %nacl: 32 (r15,rdi)

movntiq r12, %nacl: 40 (r15,rdi)

movntiq r13, %nacl: 48 (r15,rdi)

movntiq r14, %nacl: 56 (r15,rdi)

@@ -67,7 +80,7 @@ loop:

movq %nacl: 72 (r15,rsi), r8

movq %nacl: 80 (r15,rsi), r9

movq %nacl: 88 (r15,rsi), r10

- movq %nacl: 96 (r15,rsi), r11

+ movq %nacl: 96 (r15,rsi), rdx

movq %nacl: 104 (r15,rsi), r12

movq %nacl: 112 (r15,rsi), r13

movq %nacl: 120 (r15,rsi), r14

@@ -76,7 +89,7 @@ loop:

movntiq r8 , %nacl: 72 (r15,rdi)

movntiq r9 , %nacl: 80 (r15,rdi)

movntiq r10, %nacl: 88 (r15,rdi)

- movntiq r11, %nacl: 96 (r15,rdi)

+ movntiq rdx, %nacl: 96 (r15,rdi)

movntiq r12, %nacl: 104 (r15,rdi)

movntiq r13, %nacl: 112 (r15,rdi)

movntiq r14, %nacl: 120 (r15,rdi)

@@ -88,7 +101,7 @@ loop:

jnz loop

sfence

- movl edx, ecx

+ popq rcx

andl $127, ecx

rep movsb %nacl:(rsi), %nacl:(rdi), r15

popq r14

« no previous file with comments | « no previous file | newlib/libc/machine/x86_64/setjmp.S » ('j') | newlib/libc/machine/x86_64/setjmp.S » ('J')