[llvm-bugs] [Bug 44049] New: Control Flow Guard checking code is corrupting function pointers
via llvm-bugs
llvm-bugs at lists.llvm.org
Mon Nov 18 12:41:43 PST 2019
https://bugs.llvm.org/show_bug.cgi?id=44049
Bug ID: 44049
Summary: Control Flow Guard checking code is corrupting
function pointers
Product: new-bugs
Version: unspecified
Hardware: PC
OS: Windows NT
Status: NEW
Severity: enhancement
Priority: P
Component: new bugs
Assignee: unassignedbugs at nondot.org
Reporter: dmajor at mozilla.com
CC: froydnj at gmail.com, htmldeveloper at gmail.com,
llvm-bugs at lists.llvm.org, rnk at google.com,
tom at ritter.vg
With the improved CFG code in https://reviews.llvm.org/D65761, we see crashes
in Firefox because the inserted code overwrites the lower byte of function
pointers before jumping to them.
Without CFG:
xul!mozilla::AbstractCanonical<mozilla::Maybe<mozilla::media::TimeUnit>
>::`vcall'{8}':
00000001`80c18c10 4883ec28 sub rsp,28h
00000001`80c18c14 4c8b11 mov r10,qword ptr [rcx]
00000001`80c18c17 4d8b5208 mov r10,qword ptr [r10+8]
00000001`80c18c1b 4883c428 add rsp,28h
00000001`80c18c1f 49ffe2 jmp r10
With CFG:
xul!mozilla::AbstractCanonical<double>::`vcall'{8}':
00007ffd`5936c090 4883ec28 sub rsp,28h
00007ffd`5936c094 4189c2 mov r10d,eax
00007ffd`5936c097 488b01 mov rax,qword ptr [rcx]
00007ffd`5936c09a 488b4008 mov rax,qword ptr [rax+8]
00007ffd`5936c09e 4c8b1d636f4d05 mov r11,qword ptr
[xul!__guard_dispatch_icall_fptr (00007ffd`5e843008)]
00007ffd`5936c0a5 4488d0 mov al,r10b <--------------- ?!
00007ffd`5936c0a8 4883c428 add rsp,28h
00007ffd`5936c0ac 49ffe3 jmp r11
(Ignore the difference in function names, it's the same function with many
names, and ICF chose different names for these builds)
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20191118/01d3b386/attachment.html>
More information about the llvm-bugs
mailing list