| 1 | /* $Id: stack-except-vcc.cpp 98103 2023-01-17 14:15:46Z vboxsync $ */
|
|---|
| 2 | /** @file
|
|---|
| 3 | * IPRT - Visual C++ Compiler - Stack Checking, __GSHandlerCheck.
|
|---|
| 4 | */
|
|---|
| 5 |
|
|---|
| 6 | /*
|
|---|
| 7 | * Copyright (C) 2022-2023 Oracle and/or its affiliates.
|
|---|
| 8 | *
|
|---|
| 9 | * This file is part of VirtualBox base platform packages, as
|
|---|
| 10 | * available from https://www.virtualbox.org.
|
|---|
| 11 | *
|
|---|
| 12 | * This program is free software; you can redistribute it and/or
|
|---|
| 13 | * modify it under the terms of the GNU General Public License
|
|---|
| 14 | * as published by the Free Software Foundation, in version 3 of the
|
|---|
| 15 | * License.
|
|---|
| 16 | *
|
|---|
| 17 | * This program is distributed in the hope that it will be useful, but
|
|---|
| 18 | * WITHOUT ANY WARRANTY; without even the implied warranty of
|
|---|
| 19 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|---|
| 20 | * General Public License for more details.
|
|---|
| 21 | *
|
|---|
| 22 | * You should have received a copy of the GNU General Public License
|
|---|
| 23 | * along with this program; if not, see <https://www.gnu.org/licenses>.
|
|---|
| 24 | *
|
|---|
| 25 | * The contents of this file may alternatively be used under the terms
|
|---|
| 26 | * of the Common Development and Distribution License Version 1.0
|
|---|
| 27 | * (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
|
|---|
| 28 | * in the VirtualBox distribution, in which case the provisions of the
|
|---|
| 29 | * CDDL are applicable instead of those of the GPL.
|
|---|
| 30 | *
|
|---|
| 31 | * You may elect to license modified versions of this file under the
|
|---|
| 32 | * terms and conditions of either the GPL or the CDDL or both.
|
|---|
| 33 | *
|
|---|
| 34 | * SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
|
|---|
| 35 | */
|
|---|
| 36 |
|
|---|
| 37 |
|
|---|
| 38 | /*********************************************************************************************************************************
|
|---|
| 39 | * Header Files *
|
|---|
| 40 | *********************************************************************************************************************************/
|
|---|
| 41 | #include "internal/nocrt.h"
|
|---|
| 42 |
|
|---|
| 43 | #include "except-vcc.h"
|
|---|
| 44 |
|
|---|
| 45 |
|
|---|
| 46 | #if !defined(RT_ARCH_AMD64)
|
|---|
| 47 | # error "This file is for AMD64 (and probably ARM, but needs porting)"
|
|---|
| 48 | #endif
|
|---|
| 49 |
|
|---|
| 50 |
|
|---|
| 51 |
|
|---|
| 52 | /**
|
|---|
| 53 | * Check the stack cookie before calling the exception handler.
|
|---|
| 54 | *
|
|---|
| 55 | * This is to prevent attackers from bypassing stack cookie checking by
|
|---|
| 56 | * triggering an exception.
|
|---|
| 57 | *
|
|---|
| 58 | * This does not call any C++ exception handlers, as it's probably (still
|
|---|
| 59 | * figuring this stuff out) only used when C++ exceptions are disabled.
|
|---|
| 60 | *
|
|---|
| 61 | * @returns Exception disposition.
|
|---|
| 62 | * @param pXcptRec The exception record.
|
|---|
| 63 | * @param pXcptRegRec The exception registration record, taken to be the frame
|
|---|
| 64 | * address.
|
|---|
| 65 | * @param pCpuCtx The CPU context for the exception.
|
|---|
| 66 | * @param pDispCtx Dispatcher context.
|
|---|
| 67 | */
|
|---|
| 68 | extern "C" __declspec(guard(suppress))
|
|---|
| 69 | EXCEPTION_DISPOSITION __GSHandlerCheck(PEXCEPTION_RECORD pXcptRec, PEXCEPTION_REGISTRATION_RECORD pXcptRegRec,
|
|---|
| 70 | PCONTEXT pCpuCtx, PDISPATCHER_CONTEXT pDispCtx)
|
|---|
| 71 | {
|
|---|
| 72 | RT_NOREF(pXcptRec, pCpuCtx);
|
|---|
| 73 |
|
|---|
| 74 | /*
|
|---|
| 75 | * Only GS handler data here.
|
|---|
| 76 | */
|
|---|
| 77 | PCGS_HANDLER_DATA pHandlerData = (PCGS_HANDLER_DATA)pDispCtx->HandlerData;
|
|---|
| 78 |
|
|---|
| 79 | /*
|
|---|
| 80 | * Locate the stack cookie and call the regular stack cookie checker routine.
|
|---|
| 81 | * (Same code as in __GSHandlerCheck_SEH, fixes applies both places.)
|
|---|
| 82 | */
|
|---|
| 83 | /* Calculate the cookie address and read it. */
|
|---|
| 84 | uintptr_t uPtrFrame = (uintptr_t)pXcptRegRec;
|
|---|
| 85 | uint32_t offCookie = pHandlerData->u.offCookie;
|
|---|
| 86 | if (offCookie & GS_HANDLER_OFF_COOKIE_HAS_ALIGNMENT)
|
|---|
| 87 | {
|
|---|
| 88 | uPtrFrame += pHandlerData->offAlignedBase;
|
|---|
| 89 | uPtrFrame &= ~(uintptr_t)pHandlerData->uAlignmentMask;
|
|---|
| 90 | }
|
|---|
| 91 | uintptr_t uCookie = *(uintptr_t const *)(uPtrFrame + (int32_t)(offCookie & GS_HANDLER_OFF_COOKIE_MASK));
|
|---|
| 92 |
|
|---|
| 93 | /* The stored cookie is xor'ed with the frame / registration record address
|
|---|
| 94 | or with the frame pointer register if one is being used. In the latter
|
|---|
| 95 | case, we have to add the frame offset to get the correct address. */
|
|---|
| 96 | uintptr_t uXorAddr = (uintptr_t)pXcptRegRec;
|
|---|
| 97 | PCIMAGE_UNWIND_INFO pUnwindInfo = (PCIMAGE_UNWIND_INFO)(pDispCtx->ImageBase + pDispCtx->FunctionEntry->UnwindInfoAddress);
|
|---|
| 98 | if (pUnwindInfo->FrameRegister != 0)
|
|---|
| 99 | uXorAddr += pUnwindInfo->FrameOffset << 4;
|
|---|
| 100 |
|
|---|
| 101 | /* This call will not return on failure. */
|
|---|
| 102 | __security_check_cookie(uCookie ^ uXorAddr);
|
|---|
| 103 |
|
|---|
| 104 | return ExceptionContinueSearch;
|
|---|
| 105 | }
|
|---|
| 106 |
|
|---|
