Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH9TF6ORtP9X2SkhLXdj+K6sAxNQnT6OHCgh-KvuqWeC=_z0Fg@mail.gmail.com>
Date: Fri, 6 Dec 2024 19:51:52 +0100
From: Alex Rønne Petersen <alex@...xrp.com>
To: musl@...ts.openwall.com
Subject: Re: [PATCH] clone: clear the frame pointer in the child process on
 relevant ports

On Fri, Dec 6, 2024 at 7:49 PM Alex Rønne Petersen <alex@...xrp.com> wrote:
>
> This just mirrors what is done in the start code for the affected ports, as well
> as what is already done for the three x86 ports. For consistency, I also changed
> the x86 ports and the powerpc port to have the child process portion at the end
> of clone().
>
> Clearing the frame pointer helps protect FP-based unwinders which have no way of
> knowing that the FP register should be considered undefined in the child process
> portion of clone(). In practice, we found this change to be necessary when
> running the Zig standard library tests under qemu-aarch64_be with musl linked.

I made some observations in musl's startup code while putting this
patch together. As far as I can tell, musl doesn't clear...

* r7 (non-ABI FP) on arm;
* $ra on loongarch64;
* fp and ra on riscv32/riscv64;
* r9 (LR) on or1k;
* r31 (non-ABI FP) on powerpc/powerpc64;
* r11 (non-ABI FP) and r14 (LR) on s390x;
* r14 (FP) and pr (LR) on sh.

Accordingly, I didn't make such changes to clone().

The question is, *should* musl clear these? For what it's worth, in
Zig's non-libc startup code, we're clearing all link and frame pointer
registers, both ABI and non-ABI, because it doesn't really cost us
much and we'd rather be safe than sorry. I think it's also notable
that musl *does* clear the non-ABI FP register (r14) on microblaze, so
there's some precedent there.

Here's what glibc does, for comparison:

* arm: Same as musl.
* loongarch64: Sets $ra to a sensible return address so it can abort().
* riscv32/riscv64: Same as musl.
* or1k: Clears r2 (same as musl), clears r9.
* powerpc/powerpc64: Same as musl.
* s390x: Sets r14 to a sensible return address so it can trigger a
crash right after the brasl.
* sh: Clears r14, sets pr to a sensible return address to it can abort().

If changes are desired for these ports, I can do a separate patch to
change the startup code and clone() code for them.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.