From 936d9d6ca52d2ad87cf96107c756b75770dc8eb0 Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <campbell+golang@mumble.net>
Date: Fri, 3 Dec 2021 21:52:28 +0000
Subject: [PATCH 1/3] runtime: Check %fs against %rsp across syscalls.

---
 src/syscall/asm_unix_amd64.s | 48 ++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/src/syscall/asm_unix_amd64.s b/src/syscall/asm_unix_amd64.s
index 8ee46b86b5..be8f2bf50a 100644
--- a/src/syscall/asm_unix_amd64.s
+++ b/src/syscall/asm_unix_amd64.s
@@ -17,26 +17,40 @@
 
 TEXT	·Syscall(SB),NOSPLIT,$0-56
 	CALL	runtime·entersyscall(SB)
+	LEAQ	(TLS), AX
+	PUSHQ	AX
 	MOVQ	trap+0(FP), AX	// syscall entry
 	MOVQ	a1+8(FP), DI
 	MOVQ	a2+16(FP), SI
 	MOVQ	a3+24(FP), DX
 	SYSCALL
+	POPQ	DI
 	JCC	ok
 	MOVQ	$-1, r1+32(FP)	// r1
 	MOVQ	$0, r2+40(FP)	// r2
 	MOVQ	AX, err+48(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad
 	CALL	runtime·exitsyscall(SB)
 	RET
 ok:
 	MOVQ	AX, r1+32(FP)	// r1
 	MOVQ	DX, r2+40(FP)	// r2
 	MOVQ	$0, err+48(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad
 	CALL	runtime·exitsyscall(SB)
 	RET
+bad:
+	CALL	runtime·abort(SB)
+	RET
 
 TEXT	·Syscall6(SB),NOSPLIT,$0-80
 	CALL	runtime·entersyscall(SB)
+	LEAQ	(TLS), AX
+	PUSHQ	AX
 	MOVQ	trap+0(FP), AX	// syscall entry
 	MOVQ	a1+8(FP), DI
 	MOVQ	a2+16(FP), SI
@@ -45,37 +59,61 @@ TEXT	·Syscall6(SB),NOSPLIT,$0-80
 	MOVQ	a5+40(FP), R8
 	MOVQ	a6+48(FP), R9
 	SYSCALL
+	POPQ	DI
 	JCC	ok6
 	MOVQ	$-1, r1+56(FP)	// r1
 	MOVQ	$0, r2+64(FP)	// r2
 	MOVQ	AX, err+72(FP)  // errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad6
 	CALL	runtime·exitsyscall(SB)
 	RET
 ok6:
 	MOVQ	AX, r1+56(FP)	// r1
 	MOVQ	DX, r2+64(FP)	// r2
 	MOVQ	$0, err+72(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad6
 	CALL	runtime·exitsyscall(SB)
 	RET
+bad6:
+	CALL	runtime·abort(SB)
+	RET
 
 TEXT	·RawSyscall(SB),NOSPLIT,$0-56
+	LEAQ	(TLS), AX
+	PUSHQ	AX
 	MOVQ	a1+8(FP), DI
 	MOVQ	a2+16(FP), SI
 	MOVQ	a3+24(FP), DX
 	MOVQ	trap+0(FP), AX	// syscall entry
 	SYSCALL
+	POPQ	DI
 	JCC	ok1
 	MOVQ	$-1, r1+32(FP)	// r1
 	MOVQ	$0, r2+40(FP)	// r2
 	MOVQ	AX, err+48(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad1
 	RET
 ok1:
 	MOVQ	AX, r1+32(FP)	// r1
 	MOVQ	DX, r2+40(FP)	// r2
 	MOVQ	$0, err+48(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad1
+	RET
+bad1:
+	CALL	runtime·abort(SB)
 	RET
 
 TEXT	·RawSyscall6(SB),NOSPLIT,$0-80
+	LEAQ	(TLS), AX
+	PUSHQ	AX
 	MOVQ	a1+8(FP), DI
 	MOVQ	a2+16(FP), SI
 	MOVQ	a3+24(FP), DX
@@ -84,13 +122,23 @@ TEXT	·RawSyscall6(SB),NOSPLIT,$0-80
 	MOVQ	a6+48(FP), R9
 	MOVQ	trap+0(FP), AX	// syscall entry
 	SYSCALL
+	POPQ	DI
 	JCC	ok2
 	MOVQ	$-1, r1+56(FP)	// r1
 	MOVQ	$0, r2+64(FP)	// r2
 	MOVQ	AX, err+72(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad2
 	RET
 ok2:
 	MOVQ	AX, r1+56(FP)	// r1
 	MOVQ	DX, r2+64(FP)	// r2
 	MOVQ	$0, err+72(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad2
+	RET
+bad2:
+	CALL	runtime·abort(SB)
 	RET

From c44bd48feb95a8db53e1e0be703a9a989e41d63d Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <campbell+golang@mumble.net>
Date: Sat, 4 Dec 2021 12:11:57 +0000
Subject: [PATCH 2/3] runtime: Check %fs:-8 against %rsp across syscalls.

---
 src/syscall/asm_unix_amd64.s | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/src/syscall/asm_unix_amd64.s b/src/syscall/asm_unix_amd64.s
index be8f2bf50a..28e169a3c4 100644
--- a/src/syscall/asm_unix_amd64.s
+++ b/src/syscall/asm_unix_amd64.s
@@ -17,7 +17,7 @@
 
 TEXT	·Syscall(SB),NOSPLIT,$0-56
 	CALL	runtime·entersyscall(SB)
-	LEAQ	(TLS), AX
+	MOVQ	-8(TLS), AX
 	PUSHQ	AX
 	MOVQ	trap+0(FP), AX	// syscall entry
 	MOVQ	a1+8(FP), DI
@@ -29,7 +29,7 @@ TEXT	·Syscall(SB),NOSPLIT,$0-56
 	MOVQ	$-1, r1+32(FP)	// r1
 	MOVQ	$0, r2+40(FP)	// r2
 	MOVQ	AX, err+48(FP)	// errno
-	LEAQ	(TLS), SI
+	MOVQ	-8(TLS), SI
 	CMPQ	DI, SI
 	JNE	bad
 	CALL	runtime·exitsyscall(SB)
@@ -38,7 +38,7 @@ ok:
 	MOVQ	AX, r1+32(FP)	// r1
 	MOVQ	DX, r2+40(FP)	// r2
 	MOVQ	$0, err+48(FP)	// errno
-	LEAQ	(TLS), SI
+	MOVQ	-8(TLS), SI
 	CMPQ	DI, SI
 	JNE	bad
 	CALL	runtime·exitsyscall(SB)
@@ -49,7 +49,7 @@ bad:
 
 TEXT	·Syscall6(SB),NOSPLIT,$0-80
 	CALL	runtime·entersyscall(SB)
-	LEAQ	(TLS), AX
+	MOVQ	-8(TLS), AX
 	PUSHQ	AX
 	MOVQ	trap+0(FP), AX	// syscall entry
 	MOVQ	a1+8(FP), DI
@@ -64,7 +64,7 @@ TEXT	·Syscall6(SB),NOSPLIT,$0-80
 	MOVQ	$-1, r1+56(FP)	// r1
 	MOVQ	$0, r2+64(FP)	// r2
 	MOVQ	AX, err+72(FP)  // errno
-	LEAQ	(TLS), SI
+	MOVQ	-8(TLS), SI
 	CMPQ	DI, SI
 	JNE	bad6
 	CALL	runtime·exitsyscall(SB)
@@ -73,7 +73,7 @@ ok6:
 	MOVQ	AX, r1+56(FP)	// r1
 	MOVQ	DX, r2+64(FP)	// r2
 	MOVQ	$0, err+72(FP)	// errno
-	LEAQ	(TLS), SI
+	MOVQ	-8(TLS), SI
 	CMPQ	DI, SI
 	JNE	bad6
 	CALL	runtime·exitsyscall(SB)
@@ -83,7 +83,7 @@ bad6:
 	RET
 
 TEXT	·RawSyscall(SB),NOSPLIT,$0-56
-	LEAQ	(TLS), AX
+	MOVQ	-8(TLS), AX
 	PUSHQ	AX
 	MOVQ	a1+8(FP), DI
 	MOVQ	a2+16(FP), SI
@@ -95,7 +95,7 @@ TEXT	·RawSyscall(SB),NOSPLIT,$0-56
 	MOVQ	$-1, r1+32(FP)	// r1
 	MOVQ	$0, r2+40(FP)	// r2
 	MOVQ	AX, err+48(FP)	// errno
-	LEAQ	(TLS), SI
+	MOVQ	-8(TLS), SI
 	CMPQ	DI, SI
 	JNE	bad1
 	RET
@@ -103,7 +103,7 @@ ok1:
 	MOVQ	AX, r1+32(FP)	// r1
 	MOVQ	DX, r2+40(FP)	// r2
 	MOVQ	$0, err+48(FP)	// errno
-	LEAQ	(TLS), SI
+	MOVQ	-8(TLS), SI
 	CMPQ	DI, SI
 	JNE	bad1
 	RET
@@ -112,7 +112,7 @@ bad1:
 	RET
 
 TEXT	·RawSyscall6(SB),NOSPLIT,$0-80
-	LEAQ	(TLS), AX
+	MOVQ	-8(TLS), AX
 	PUSHQ	AX
 	MOVQ	a1+8(FP), DI
 	MOVQ	a2+16(FP), SI
@@ -127,7 +127,7 @@ TEXT	·RawSyscall6(SB),NOSPLIT,$0-80
 	MOVQ	$-1, r1+56(FP)	// r1
 	MOVQ	$0, r2+64(FP)	// r2
 	MOVQ	AX, err+72(FP)	// errno
-	LEAQ	(TLS), SI
+	MOVQ	-8(TLS), SI
 	CMPQ	DI, SI
 	JNE	bad2
 	RET
@@ -135,7 +135,7 @@ ok2:
 	MOVQ	AX, r1+56(FP)	// r1
 	MOVQ	DX, r2+64(FP)	// r2
 	MOVQ	$0, err+72(FP)	// errno
-	LEAQ	(TLS), SI
+	MOVQ	-8(TLS), SI
 	CMPQ	DI, SI
 	JNE	bad2
 	RET

From faf4e302c9ed06f8bf8bcdb01ed3dbc95558c849 Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <campbell+golang@mumble.net>
Date: Sat, 4 Dec 2021 12:19:23 +0000
Subject: [PATCH 3/3] runtime: Crash %fs checks with runtime.crash, not
 runtime.abort.

Should lead more directly to a core dump.
---
 src/syscall/asm_unix_amd64.s | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/syscall/asm_unix_amd64.s b/src/syscall/asm_unix_amd64.s
index 28e169a3c4..2cbcf2c391 100644
--- a/src/syscall/asm_unix_amd64.s
+++ b/src/syscall/asm_unix_amd64.s
@@ -44,7 +44,7 @@ ok:
 	CALL	runtime·exitsyscall(SB)
 	RET
 bad:
-	CALL	runtime·abort(SB)
+	CALL	runtime·crash<ABIInternal>(SB)
 	RET
 
 TEXT	·Syscall6(SB),NOSPLIT,$0-80
@@ -79,7 +79,7 @@ ok6:
 	CALL	runtime·exitsyscall(SB)
 	RET
 bad6:
-	CALL	runtime·abort(SB)
+	CALL	runtime·crash<ABIInternal>(SB)
 	RET
 
 TEXT	·RawSyscall(SB),NOSPLIT,$0-56
@@ -108,7 +108,7 @@ ok1:
 	JNE	bad1
 	RET
 bad1:
-	CALL	runtime·abort(SB)
+	CALL	runtime·crash<ABIInternal>(SB)
 	RET
 
 TEXT	·RawSyscall6(SB),NOSPLIT,$0-80
@@ -140,5 +140,5 @@ ok2:
 	JNE	bad2
 	RET
 bad2:
-	CALL	runtime·abort(SB)
+	CALL	runtime·crash<ABIInternal>(SB)
 	RET