From 936d9d6ca52d2ad87cf96107c756b75770dc8eb0 Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <campbell+golang@mumble.net>
Date: Fri, 3 Dec 2021 21:52:28 +0000
Subject: [PATCH 1/4] runtime: Check %fs against %rsp across syscalls.

---
 src/syscall/asm_unix_amd64.s | 48 ++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/src/syscall/asm_unix_amd64.s b/src/syscall/asm_unix_amd64.s
index 8ee46b86b5..be8f2bf50a 100644
--- a/src/syscall/asm_unix_amd64.s
+++ b/src/syscall/asm_unix_amd64.s
@@ -17,26 +17,40 @@
 
 TEXT	·Syscall(SB),NOSPLIT,$0-56
 	CALL	runtime·entersyscall(SB)
+	LEAQ	(TLS), AX
+	PUSHQ	AX
 	MOVQ	trap+0(FP), AX	// syscall entry
 	MOVQ	a1+8(FP), DI
 	MOVQ	a2+16(FP), SI
 	MOVQ	a3+24(FP), DX
 	SYSCALL
+	POPQ	DI
 	JCC	ok
 	MOVQ	$-1, r1+32(FP)	// r1
 	MOVQ	$0, r2+40(FP)	// r2
 	MOVQ	AX, err+48(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad
 	CALL	runtime·exitsyscall(SB)
 	RET
 ok:
 	MOVQ	AX, r1+32(FP)	// r1
 	MOVQ	DX, r2+40(FP)	// r2
 	MOVQ	$0, err+48(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad
 	CALL	runtime·exitsyscall(SB)
 	RET
+bad:
+	CALL	runtime·abort(SB)
+	RET
 
 TEXT	·Syscall6(SB),NOSPLIT,$0-80
 	CALL	runtime·entersyscall(SB)
+	LEAQ	(TLS), AX
+	PUSHQ	AX
 	MOVQ	trap+0(FP), AX	// syscall entry
 	MOVQ	a1+8(FP), DI
 	MOVQ	a2+16(FP), SI
@@ -45,37 +59,61 @@ TEXT	·Syscall6(SB),NOSPLIT,$0-80
 	MOVQ	a5+40(FP), R8
 	MOVQ	a6+48(FP), R9
 	SYSCALL
+	POPQ	DI
 	JCC	ok6
 	MOVQ	$-1, r1+56(FP)	// r1
 	MOVQ	$0, r2+64(FP)	// r2
 	MOVQ	AX, err+72(FP)  // errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad6
 	CALL	runtime·exitsyscall(SB)
 	RET
 ok6:
 	MOVQ	AX, r1+56(FP)	// r1
 	MOVQ	DX, r2+64(FP)	// r2
 	MOVQ	$0, err+72(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad6
 	CALL	runtime·exitsyscall(SB)
 	RET
+bad6:
+	CALL	runtime·abort(SB)
+	RET
 
 TEXT	·RawSyscall(SB),NOSPLIT,$0-56
+	LEAQ	(TLS), AX
+	PUSHQ	AX
 	MOVQ	a1+8(FP), DI
 	MOVQ	a2+16(FP), SI
 	MOVQ	a3+24(FP), DX
 	MOVQ	trap+0(FP), AX	// syscall entry
 	SYSCALL
+	POPQ	DI
 	JCC	ok1
 	MOVQ	$-1, r1+32(FP)	// r1
 	MOVQ	$0, r2+40(FP)	// r2
 	MOVQ	AX, err+48(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad1
 	RET
 ok1:
 	MOVQ	AX, r1+32(FP)	// r1
 	MOVQ	DX, r2+40(FP)	// r2
 	MOVQ	$0, err+48(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad1
+	RET
+bad1:
+	CALL	runtime·abort(SB)
 	RET
 
 TEXT	·RawSyscall6(SB),NOSPLIT,$0-80
+	LEAQ	(TLS), AX
+	PUSHQ	AX
 	MOVQ	a1+8(FP), DI
 	MOVQ	a2+16(FP), SI
 	MOVQ	a3+24(FP), DX
@@ -84,13 +122,23 @@ TEXT	·RawSyscall6(SB),NOSPLIT,$0-80
 	MOVQ	a6+48(FP), R9
 	MOVQ	trap+0(FP), AX	// syscall entry
 	SYSCALL
+	POPQ	DI
 	JCC	ok2
 	MOVQ	$-1, r1+56(FP)	// r1
 	MOVQ	$0, r2+64(FP)	// r2
 	MOVQ	AX, err+72(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad2
 	RET
 ok2:
 	MOVQ	AX, r1+56(FP)	// r1
 	MOVQ	DX, r2+64(FP)	// r2
 	MOVQ	$0, err+72(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad2
+	RET
+bad2:
+	CALL	runtime·abort(SB)
 	RET

From c44bd48feb95a8db53e1e0be703a9a989e41d63d Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <campbell+golang@mumble.net>
Date: Sat, 4 Dec 2021 12:11:57 +0000
Subject: [PATCH 2/4] runtime: Check %fs:-8 against %rsp across syscalls.

---
 src/syscall/asm_unix_amd64.s | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/src/syscall/asm_unix_amd64.s b/src/syscall/asm_unix_amd64.s
index be8f2bf50a..28e169a3c4 100644
--- a/src/syscall/asm_unix_amd64.s
+++ b/src/syscall/asm_unix_amd64.s
@@ -17,7 +17,7 @@
 
 TEXT	·Syscall(SB),NOSPLIT,$0-56
 	CALL	runtime·entersyscall(SB)
-	LEAQ	(TLS), AX
+	MOVQ	-8(TLS), AX
 	PUSHQ	AX
 	MOVQ	trap+0(FP), AX	// syscall entry
 	MOVQ	a1+8(FP), DI
@@ -29,7 +29,7 @@ TEXT	·Syscall(SB),NOSPLIT,$0-56
 	MOVQ	$-1, r1+32(FP)	// r1
 	MOVQ	$0, r2+40(FP)	// r2
 	MOVQ	AX, err+48(FP)	// errno
-	LEAQ	(TLS), SI
+	MOVQ	-8(TLS), SI
 	CMPQ	DI, SI
 	JNE	bad
 	CALL	runtime·exitsyscall(SB)
@@ -38,7 +38,7 @@ ok:
 	MOVQ	AX, r1+32(FP)	// r1
 	MOVQ	DX, r2+40(FP)	// r2
 	MOVQ	$0, err+48(FP)	// errno
-	LEAQ	(TLS), SI
+	MOVQ	-8(TLS), SI
 	CMPQ	DI, SI
 	JNE	bad
 	CALL	runtime·exitsyscall(SB)
@@ -49,7 +49,7 @@ bad:
 
 TEXT	·Syscall6(SB),NOSPLIT,$0-80
 	CALL	runtime·entersyscall(SB)
-	LEAQ	(TLS), AX
+	MOVQ	-8(TLS), AX
 	PUSHQ	AX
 	MOVQ	trap+0(FP), AX	// syscall entry
 	MOVQ	a1+8(FP), DI
@@ -64,7 +64,7 @@ TEXT	·Syscall6(SB),NOSPLIT,$0-80
 	MOVQ	$-1, r1+56(FP)	// r1
 	MOVQ	$0, r2+64(FP)	// r2
 	MOVQ	AX, err+72(FP)  // errno
-	LEAQ	(TLS), SI
+	MOVQ	-8(TLS), SI
 	CMPQ	DI, SI
 	JNE	bad6
 	CALL	runtime·exitsyscall(SB)
@@ -73,7 +73,7 @@ ok6:
 	MOVQ	AX, r1+56(FP)	// r1
 	MOVQ	DX, r2+64(FP)	// r2
 	MOVQ	$0, err+72(FP)	// errno
-	LEAQ	(TLS), SI
+	MOVQ	-8(TLS), SI
 	CMPQ	DI, SI
 	JNE	bad6
 	CALL	runtime·exitsyscall(SB)
@@ -83,7 +83,7 @@ bad6:
 	RET
 
 TEXT	·RawSyscall(SB),NOSPLIT,$0-56
-	LEAQ	(TLS), AX
+	MOVQ	-8(TLS), AX
 	PUSHQ	AX
 	MOVQ	a1+8(FP), DI
 	MOVQ	a2+16(FP), SI
@@ -95,7 +95,7 @@ TEXT	·RawSyscall(SB),NOSPLIT,$0-56
 	MOVQ	$-1, r1+32(FP)	// r1
 	MOVQ	$0, r2+40(FP)	// r2
 	MOVQ	AX, err+48(FP)	// errno
-	LEAQ	(TLS), SI
+	MOVQ	-8(TLS), SI
 	CMPQ	DI, SI
 	JNE	bad1
 	RET
@@ -103,7 +103,7 @@ ok1:
 	MOVQ	AX, r1+32(FP)	// r1
 	MOVQ	DX, r2+40(FP)	// r2
 	MOVQ	$0, err+48(FP)	// errno
-	LEAQ	(TLS), SI
+	MOVQ	-8(TLS), SI
 	CMPQ	DI, SI
 	JNE	bad1
 	RET
@@ -112,7 +112,7 @@ bad1:
 	RET
 
 TEXT	·RawSyscall6(SB),NOSPLIT,$0-80
-	LEAQ	(TLS), AX
+	MOVQ	-8(TLS), AX
 	PUSHQ	AX
 	MOVQ	a1+8(FP), DI
 	MOVQ	a2+16(FP), SI
@@ -127,7 +127,7 @@ TEXT	·RawSyscall6(SB),NOSPLIT,$0-80
 	MOVQ	$-1, r1+56(FP)	// r1
 	MOVQ	$0, r2+64(FP)	// r2
 	MOVQ	AX, err+72(FP)	// errno
-	LEAQ	(TLS), SI
+	MOVQ	-8(TLS), SI
 	CMPQ	DI, SI
 	JNE	bad2
 	RET
@@ -135,7 +135,7 @@ ok2:
 	MOVQ	AX, r1+56(FP)	// r1
 	MOVQ	DX, r2+64(FP)	// r2
 	MOVQ	$0, err+72(FP)	// errno
-	LEAQ	(TLS), SI
+	MOVQ	-8(TLS), SI
 	CMPQ	DI, SI
 	JNE	bad2
 	RET

From faf4e302c9ed06f8bf8bcdb01ed3dbc95558c849 Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <campbell+golang@mumble.net>
Date: Sat, 4 Dec 2021 12:19:23 +0000
Subject: [PATCH 3/4] runtime: Crash %fs checks with runtime.crash, not
 runtime.abort.

Should lead more directly to a core dump.
---
 src/syscall/asm_unix_amd64.s | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/syscall/asm_unix_amd64.s b/src/syscall/asm_unix_amd64.s
index 28e169a3c4..2cbcf2c391 100644
--- a/src/syscall/asm_unix_amd64.s
+++ b/src/syscall/asm_unix_amd64.s
@@ -44,7 +44,7 @@ ok:
 	CALL	runtime·exitsyscall(SB)
 	RET
 bad:
-	CALL	runtime·abort(SB)
+	CALL	runtime·crash<ABIInternal>(SB)
 	RET
 
 TEXT	·Syscall6(SB),NOSPLIT,$0-80
@@ -79,7 +79,7 @@ ok6:
 	CALL	runtime·exitsyscall(SB)
 	RET
 bad6:
-	CALL	runtime·abort(SB)
+	CALL	runtime·crash<ABIInternal>(SB)
 	RET
 
 TEXT	·RawSyscall(SB),NOSPLIT,$0-56
@@ -108,7 +108,7 @@ ok1:
 	JNE	bad1
 	RET
 bad1:
-	CALL	runtime·abort(SB)
+	CALL	runtime·crash<ABIInternal>(SB)
 	RET
 
 TEXT	·RawSyscall6(SB),NOSPLIT,$0-80
@@ -140,5 +140,5 @@ ok2:
 	JNE	bad2
 	RET
 bad2:
-	CALL	runtime·abort(SB)
+	CALL	runtime·crash<ABIInternal>(SB)
 	RET

From 242b904a99b2a48719c9d42e0e00841b6c1acdbb Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <campbell+golang@mumble.net>
Date: Sun, 5 Dec 2021 16:19:59 +0000
Subject: [PATCH 4/4] runtime: Check movq %fs:-8 across each enter/exitsyscall
 too.

---
 src/syscall/asm_unix_amd64.s | 56 +++++++++++++++++++++++++-----------
 1 file changed, 40 insertions(+), 16 deletions(-)

diff --git a/src/syscall/asm_unix_amd64.s b/src/syscall/asm_unix_amd64.s
index 2cbcf2c391..490e802648 100644
--- a/src/syscall/asm_unix_amd64.s
+++ b/src/syscall/asm_unix_amd64.s
@@ -16,41 +16,56 @@
 // Trap # in AX, args in DI SI DX, return in AX DX
 
 TEXT	·Syscall(SB),NOSPLIT,$0-56
+	MOVQ	-8(TLS), AX
+	MOVQ	AX, r1+32(FP)
 	CALL	runtime·entersyscall(SB)
 	MOVQ	-8(TLS), AX
-	PUSHQ	AX
+	CMPQ	r1+32(FP), AX
+	JNE	bad
 	MOVQ	trap+0(FP), AX	// syscall entry
 	MOVQ	a1+8(FP), DI
 	MOVQ	a2+16(FP), SI
 	MOVQ	a3+24(FP), DX
 	SYSCALL
-	POPQ	DI
 	JCC	ok
-	MOVQ	$-1, r1+32(FP)	// r1
+//	MOVQ	$-1, r1+32(FP)	// r1 --> moved below
 	MOVQ	$0, r2+40(FP)	// r2
 	MOVQ	AX, err+48(FP)	// errno
-	MOVQ	-8(TLS), SI
-	CMPQ	DI, SI
+	MOVQ	-8(TLS), AX
+	CMPQ	r1+32(FP), AX
 	JNE	bad
 	CALL	runtime·exitsyscall(SB)
+	MOVQ	-8(TLS), AX
+	CMPQ	r1+32(FP), AX
+	JNE	bad
+	MOVQ	$-1, r1+32(FP)	// r1
 	RET
 ok:
+	MOVQ	r1+32(FP), SI
+	MOVQ	SI, err+48(FP)
 	MOVQ	AX, r1+32(FP)	// r1
 	MOVQ	DX, r2+40(FP)	// r2
-	MOVQ	$0, err+48(FP)	// errno
-	MOVQ	-8(TLS), SI
-	CMPQ	DI, SI
+//	MOVQ	$0, err+48(FP)	// errno --> moved below
+	MOVQ	-8(TLS), AX
+	CMPQ	err+48(FP), AX
 	JNE	bad
 	CALL	runtime·exitsyscall(SB)
+	MOVQ	-8(TLS), AX
+	CMPQ	err+48(FP), AX
+	JNE	bad
+	MOVQ	$0, err+48(FP)	// errno
 	RET
 bad:
 	CALL	runtime·crash<ABIInternal>(SB)
 	RET
 
 TEXT	·Syscall6(SB),NOSPLIT,$0-80
+	MOVQ	-8(TLS), AX
+	MOVQ	AX, r1+56(FP)
 	CALL	runtime·entersyscall(SB)
 	MOVQ	-8(TLS), AX
-	PUSHQ	AX
+	CMPQ	r1+56(FP), AX
+	JNE	bad6
 	MOVQ	trap+0(FP), AX	// syscall entry
 	MOVQ	a1+8(FP), DI
 	MOVQ	a2+16(FP), SI
@@ -59,24 +74,33 @@ TEXT	·Syscall6(SB),NOSPLIT,$0-80
 	MOVQ	a5+40(FP), R8
 	MOVQ	a6+48(FP), R9
 	SYSCALL
-	POPQ	DI
 	JCC	ok6
-	MOVQ	$-1, r1+56(FP)	// r1
+//	MOVQ	$-1, r1+56(FP)	// r1 --> moved below
 	MOVQ	$0, r2+64(FP)	// r2
 	MOVQ	AX, err+72(FP)  // errno
-	MOVQ	-8(TLS), SI
-	CMPQ	DI, SI
+	MOVQ	-8(TLS), AX
+	CMPQ	r1+56(FP), AX
 	JNE	bad6
 	CALL	runtime·exitsyscall(SB)
+	MOVQ	-8(TLS), AX
+	CMPQ	r1+56(SP), AX
+	JNE	bad6
+	MOVQ	$-1, r1+56(FP)	// r1
 	RET
 ok6:
+	MOVQ	r1+56(FP), SI
+	MOVQ	SI, err+72(FP)
 	MOVQ	AX, r1+56(FP)	// r1
 	MOVQ	DX, r2+64(FP)	// r2
-	MOVQ	$0, err+72(FP)	// errno
-	MOVQ	-8(TLS), SI
-	CMPQ	DI, SI
+//	MOVQ	$0, err+72(FP)	// errno --> moved below
+	MOVQ	-8(TLS), AX
+	CMPQ	err+72(FP), AX
 	JNE	bad6
 	CALL	runtime·exitsyscall(SB)
+	MOVQ	-8(TLS), AX
+	CMPQ	err+72(FP), AX
+	JNE	bad6
+	MOVQ	$0, err+72(FP)	// errno
 	RET
 bad6:
 	CALL	runtime·crash<ABIInternal>(SB)