[CRIU] [PATCH 1/4] pie/x86_64: syscall clobbers rcx and r11

Tycho Andersen tycho.andersen at canonical.com
Mon Jun 15 14:50:34 PDT 2015 

o_O this is one of those "how has nobody ever hit this" bugs.

According to:

http://stackoverflow.com/questions/2535989/what-are-the-calling-conventions-for-unix-linux-system-calls-on-x86-64

syscall on x86_64 clobbers rcx and r11. We should mark these registers as
clobbered in RUN_CLONE_RESTORE_FN so that gcc avoids using them, e.g.:

...<__export_restore_task>
    ...
    1894: 49 89 db              mov    r11,rbx
    1897: 4c 8d 4c 24 60        lea    r9,[rsp+0x60]
    189c: 48 89 eb              mov    rbx,rbp
    189f: 48 89 44 24 10        mov    QWORD PTR [rsp+0x10],rax
    18a4: 48 8d 44 24 30        lea    rax,[rsp+0x30]
    18a9: 48 89 44 24 18        mov    QWORD PTR [rsp+0x18],rax
    18ae: eb 53                 jmp    1903 <clone_end+0x15>

00000000000018b0 <clone_emul>:
    18b0: 48 8b 74 24 08        mov    rsi,QWORD PTR [rsp+0x8]
    18b5: 48 83 ee 10           sub    rsi,0x10
    18b9: 48 89 ef              mov    rdi,rbp
    18bc: 48 89 7e 08           mov    QWORD PTR [rsi+0x8],rdi
    18c0: 49 8b 7b 20           mov    rdi,QWORD PTR [r11+0x20]
    18c4: 48 89 3e              mov    QWORD PTR [rsi],rdi
    18c7: 48 c7 c7 00 0d 05 00  mov    rdi,0x50d00
    18ce: 48 8b 54 24 18        mov    rdx,QWORD PTR [rsp+0x18]
    18d3: 4d 89 fa              mov    r10,r15
    18d6: b8 38 00 00 00        mov    eax,0x38
    18db: 0f 05                 syscall
    18dd: 48 85 c0              test   rax,rax
    18e0: 74 05                 je     18e7 <thread_run>
    18e2: 48 89 c5              mov    rbp,rax
    18e5: eb 07                 jmp    18ee <clone_end>

00000000000018e7 <thread_run>:
    18e7: 48 31 ed              xor    rbp,rbp
    18ea: 58                    pop    rax
    18eb: 5f                    pop    rdi
    18ec: ff d0                 call   rax

00000000000018ee <clone_end>:
    18ee: 41 83 c5 01           add    r13d,0x1
    18f2: 49 81 c7 00 8c 00 00  add    r15,0x8c00
    18f9: 45 39 6b 14           cmp    DWORD PTR [r11+0x14],r13d

will cause a seg fault because r11 is clobbered.

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
 arch/x86/include/asm/restorer.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/restorer.h b/arch/x86/include/asm/restorer.h
index 2c20ec0..2021c41 100644
--- a/arch/x86/include/asm/restorer.h
+++ b/arch/x86/include/asm/restorer.h
@@ -119,7 +119,7 @@ struct rt_sigframe {
 		       "g"(&thread_args[i].pid),			\
 		       "g"(clone_restore_fn),				\
 		       "g"(&thread_args[i])				\
-		     : "rax", "rdi", "rsi", "rdx", "r10", "memory")
+		     : "rax", "rcx", "rdi", "rsi", "rdx", "r10", "r11", "memory")
 
 #define ARCH_FAIL_CORE_RESTORE					\
 	asm volatile(						\
-- 
2.1.4

More information about the CRIU mailing list