VirtualBox

source: vbox/trunk/src/VBox/VMM/VMMR0/VMMR0JmpA-amd64.asm@ 90638

Last change on this file since 90638 was 90189, checked in by vboxsync, 3 years ago

VMM: Make the setjmp code a bit stricter with when to resume a call. bugref:10064 ticketref:20090 ticketref:20456

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id Revision
File size: 14.9 KB
Line 
1; $Id: VMMR0JmpA-amd64.asm 90189 2021-07-14 16:39:09Z vboxsync $
2;; @file
3; VMM - R0 SetJmp / LongJmp routines for AMD64.
4;
5
6;
7; Copyright (C) 2006-2020 Oracle Corporation
8;
9; This file is part of VirtualBox Open Source Edition (OSE), as
10; available from http://www.virtualbox.org. This file is free software;
11; you can redistribute it and/or modify it under the terms of the GNU
12; General Public License (GPL) as published by the Free Software
13; Foundation, in version 2 as it comes in the "COPYING" file of the
14; VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15; hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16;
17
18;*******************************************************************************
19;* Header Files *
20;*******************************************************************************
21%define RT_ASM_WITH_SEH64_ALT
22%include "VBox/asmdefs.mac"
23%include "VMMInternal.mac"
24%include "VBox/err.mac"
25%include "VBox/param.mac"
26
27
28;*******************************************************************************
29;* Defined Constants And Macros *
30;*******************************************************************************
31%define RESUME_MAGIC 07eadf00dh
32%define STACK_PADDING 0eeeeeeeeeeeeeeeeh
33
34;; Workaround for linux 4.6 fast/slow syscall stack depth difference.
35;; Update: This got worse with linux 5.13 and CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT.
36;; The x86 arch_exit_to_user_mode_prepare code limits the offset to 255,
37;; while the generic limit is 1023. See bugref:10064 for details.
38%ifdef VMM_R0_SWITCH_STACK
39 %define STACK_FUZZ_SIZE 0
40%else
41 %ifdef RT_OS_LINUX
42 %define STACK_FUZZ_SIZE 384
43 %else
44 %define STACK_FUZZ_SIZE 128
45 %endif
46%endif
47
48
49BEGINCODE
50
51
52;;
53; The setjmp variant used for calling Ring-3.
54;
55; This differs from the normal setjmp in that it will resume VMMRZCallRing3 if we're
56; in the middle of a ring-3 call. Another differences is the function pointer and
57; argument. This has to do with resuming code and the stack frame of the caller.
58;
59; @returns VINF_SUCCESS on success or whatever is passed to vmmR0CallRing3LongJmp.
60; @param pJmpBuf msc:rcx gcc:rdi x86:[esp+0x04] Our jmp_buf.
61; @param pfn msc:rdx gcc:rsi x86:[esp+0x08] The function to be called when not resuming.
62; @param pvUser1 msc:r8 gcc:rdx x86:[esp+0x0c] The argument of that function.
63; @param pvUser2 msc:r9 gcc:rcx x86:[esp+0x10] The argument of that function.
64;
65GLOBALNAME vmmR0CallRing3SetJmp2
66GLOBALNAME vmmR0CallRing3SetJmpEx
67BEGINPROC vmmR0CallRing3SetJmp
68 ;
69 ; Save the registers.
70 ;
71 push rbp
72 SEH64_PUSH_xBP
73 mov rbp, rsp
74 SEH64_SET_FRAME_xBP 0
75 %ifdef ASM_CALL64_MSC
76 sub rsp, 30h + STACK_FUZZ_SIZE ; (10h is used by resume (??), 20h for callee spill area)
77 SEH64_ALLOCATE_STACK 30h + STACK_FUZZ_SIZE
78SEH64_END_PROLOGUE
79 mov r11, rdx ; pfn
80 mov rdx, rcx ; pJmpBuf;
81 %else
82 sub rsp, 10h + STACK_FUZZ_SIZE ; (10h is used by resume (??))
83 SEH64_ALLOCATE_STACK 10h + STACK_FUZZ_SIZE
84SEH64_END_PROLOGUE
85 mov r8, rdx ; pvUser1 (save it like MSC)
86 mov r9, rcx ; pvUser2 (save it like MSC)
87 mov r11, rsi ; pfn
88 mov rdx, rdi ; pJmpBuf
89 %endif
90 mov [xDX + VMMR0JMPBUF.rbx], rbx
91 %ifdef ASM_CALL64_MSC
92 mov [xDX + VMMR0JMPBUF.rsi], rsi
93 mov [xDX + VMMR0JMPBUF.rdi], rdi
94 %endif
95 mov [xDX + VMMR0JMPBUF.rbp], rbp
96 mov [xDX + VMMR0JMPBUF.r12], r12
97 mov [xDX + VMMR0JMPBUF.r13], r13
98 mov [xDX + VMMR0JMPBUF.r14], r14
99 mov [xDX + VMMR0JMPBUF.r15], r15
100 mov xAX, [rbp + 8] ; (not really necessary, except for validity check)
101 mov [xDX + VMMR0JMPBUF.rip], xAX
102 %ifdef ASM_CALL64_MSC
103 lea r10, [rsp + 20h] ; must save the spill area
104 %else
105 lea r10, [rsp]
106 %endif
107 mov [xDX + VMMR0JMPBUF.rsp], r10
108 %ifdef RT_OS_WINDOWS
109 movdqa [xDX + VMMR0JMPBUF.xmm6], xmm6
110 movdqa [xDX + VMMR0JMPBUF.xmm7], xmm7
111 movdqa [xDX + VMMR0JMPBUF.xmm8], xmm8
112 movdqa [xDX + VMMR0JMPBUF.xmm9], xmm9
113 movdqa [xDX + VMMR0JMPBUF.xmm10], xmm10
114 movdqa [xDX + VMMR0JMPBUF.xmm11], xmm11
115 movdqa [xDX + VMMR0JMPBUF.xmm12], xmm12
116 movdqa [xDX + VMMR0JMPBUF.xmm13], xmm13
117 movdqa [xDX + VMMR0JMPBUF.xmm14], xmm14
118 movdqa [xDX + VMMR0JMPBUF.xmm15], xmm15
119 %endif
120 pushf
121 pop xAX
122 mov [xDX + VMMR0JMPBUF.rflags], xAX
123
124 ;
125 ; If we're not in a ring-3 call, call pfn and return.
126 ;
127 test byte [xDX + VMMR0JMPBUF.fInRing3Call], 1
128 jnz .resume
129
130.different_call_continue:
131 mov [xDX + VMMR0JMPBUF.pfn], r11
132 mov [xDX + VMMR0JMPBUF.pvUser1], r8
133 mov [xDX + VMMR0JMPBUF.pvUser2], r9
134
135 %ifdef VMM_R0_SWITCH_STACK
136 mov r15, [xDX + VMMR0JMPBUF.pvSavedStack]
137 test r15, r15
138 jz .entry_error
139 %ifdef VBOX_STRICT
140 cmp dword [r15], 0h
141 jne .entry_error
142 mov rdi, r15
143 mov rcx, VMM_STACK_SIZE / 8
144 mov rax, qword 0eeeeeeeffeeeeeeeh
145 repne stosq
146 mov [rdi - 10h], rbx
147 %endif
148 lea r15, [r15 + VMM_STACK_SIZE - 40h]
149 mov rsp, r15 ; Switch stack!
150 %endif ; VMM_R0_SWITCH_STACK
151
152 mov r12, rdx ; Save pJmpBuf.
153 %ifdef ASM_CALL64_MSC
154 mov rcx, r8 ; pvUser -> arg0
155 mov rdx, r9
156 %else
157 mov rdi, r8 ; pvUser -> arg0
158 mov rsi, r9
159 %endif
160 call r11
161 mov rdx, r12 ; Restore pJmpBuf
162
163 %ifdef VMM_R0_SWITCH_STACK
164 %ifdef VBOX_STRICT
165 mov r15, [xDX + VMMR0JMPBUF.pvSavedStack]
166 mov dword [r15], 0h ; Reset the marker
167 %endif
168 %endif
169
170 ;
171 ; Return like in the long jump but clear eip, no shortcuts here.
172 ;
173.proper_return:
174%ifdef RT_OS_WINDOWS
175 movdqa xmm6, [xDX + VMMR0JMPBUF.xmm6 ]
176 movdqa xmm7, [xDX + VMMR0JMPBUF.xmm7 ]
177 movdqa xmm8, [xDX + VMMR0JMPBUF.xmm8 ]
178 movdqa xmm9, [xDX + VMMR0JMPBUF.xmm9 ]
179 movdqa xmm10, [xDX + VMMR0JMPBUF.xmm10]
180 movdqa xmm11, [xDX + VMMR0JMPBUF.xmm11]
181 movdqa xmm12, [xDX + VMMR0JMPBUF.xmm12]
182 movdqa xmm13, [xDX + VMMR0JMPBUF.xmm13]
183 movdqa xmm14, [xDX + VMMR0JMPBUF.xmm14]
184 movdqa xmm15, [xDX + VMMR0JMPBUF.xmm15]
185%endif
186 mov rbx, [xDX + VMMR0JMPBUF.rbx]
187%ifdef ASM_CALL64_MSC
188 mov rsi, [xDX + VMMR0JMPBUF.rsi]
189 mov rdi, [xDX + VMMR0JMPBUF.rdi]
190%endif
191 mov r12, [xDX + VMMR0JMPBUF.r12]
192 mov r13, [xDX + VMMR0JMPBUF.r13]
193 mov r14, [xDX + VMMR0JMPBUF.r14]
194 mov r15, [xDX + VMMR0JMPBUF.r15]
195 mov rbp, [xDX + VMMR0JMPBUF.rbp]
196 and qword [xDX + VMMR0JMPBUF.rip], byte 0 ; used for valid check.
197 mov rsp, [xDX + VMMR0JMPBUF.rsp]
198 push qword [xDX + VMMR0JMPBUF.rflags]
199 popf
200 leave
201 ret
202
203.entry_error:
204 mov eax, VERR_VMM_SET_JMP_ERROR
205 jmp .proper_return
206
207.stack_overflow:
208 mov eax, VERR_VMM_SET_JMP_STACK_OVERFLOW
209 jmp .proper_return
210
211 ;
212 ; Aborting resume.
213 ; Note! No need to restore XMM registers here since we haven't touched them yet.
214 ;
215.bad:
216 and qword [xDX + VMMR0JMPBUF.rip], byte 0 ; used for valid check.
217 mov rbx, [xDX + VMMR0JMPBUF.rbx]
218 %ifdef ASM_CALL64_MSC
219 mov rsi, [xDX + VMMR0JMPBUF.rsi]
220 mov rdi, [xDX + VMMR0JMPBUF.rdi]
221 %endif
222 mov r12, [xDX + VMMR0JMPBUF.r12]
223 mov r13, [xDX + VMMR0JMPBUF.r13]
224 mov r14, [xDX + VMMR0JMPBUF.r14]
225 mov r15, [xDX + VMMR0JMPBUF.r15]
226 mov eax, VERR_VMM_SET_JMP_ABORTED_RESUME
227 leave
228 ret
229
230 ;
231 ; Not the same call as went to ring-3.
232 ;
233.different_call:
234 mov byte [xDX + VMMR0JMPBUF.fInRing3Call], 0
235 ;; @todo or should we fail here instead?
236 jmp .different_call_continue
237
238 ;
239 ; Resume VMMRZCallRing3 the call.
240 ;
241.resume:
242 ; Check if it's actually the same call, if not just continue with it
243 ; as a regular call (ring-0 assert, then VM destroy).
244 cmp [xDX + VMMR0JMPBUF.pfn], r11
245 jne .different_call
246 cmp [xDX + VMMR0JMPBUF.pvUser1], r8
247 jne .different_call
248 cmp [xDX + VMMR0JMPBUF.pvUser2], r9
249 jne .different_call
250
251 %ifndef VMM_R0_SWITCH_STACK
252 ; Sanity checks incoming stack, applying fuzz if needed.
253 sub r10, [xDX + VMMR0JMPBUF.SpCheck]
254 jz .resume_stack_checked_out
255 add r10, STACK_FUZZ_SIZE ; plus/minus STACK_FUZZ_SIZE is fine.
256 cmp r10, STACK_FUZZ_SIZE * 2
257 ja .bad
258
259 mov r10, [xDX + VMMR0JMPBUF.SpCheck]
260 mov [xDX + VMMR0JMPBUF.rsp], r10 ; Must be update in case of another long jump (used for save calc).
261
262.resume_stack_checked_out:
263 mov ecx, [xDX + VMMR0JMPBUF.cbSavedStack]
264 cmp rcx, VMM_STACK_SIZE
265 ja .bad
266 test rcx, 7
267 jnz .bad
268 mov rdi, [xDX + VMMR0JMPBUF.SpCheck]
269 sub rdi, [xDX + VMMR0JMPBUF.SpResume]
270 cmp rcx, rdi
271 jne .bad
272 %endif
273
274%ifdef VMM_R0_SWITCH_STACK
275 ; Switch stack.
276 mov rsp, [xDX + VMMR0JMPBUF.SpResume]
277%else
278 ; Restore the stack.
279 mov ecx, [xDX + VMMR0JMPBUF.cbSavedStack]
280 shr ecx, 3
281 mov rsi, [xDX + VMMR0JMPBUF.pvSavedStack]
282 mov rdi, [xDX + VMMR0JMPBUF.SpResume]
283 mov rsp, rdi
284 rep movsq
285%endif ; !VMM_R0_SWITCH_STACK
286 mov byte [xDX + VMMR0JMPBUF.fInRing3Call], 0
287
288 ;
289 ; Continue where we left off.
290 ;
291%ifdef VBOX_STRICT
292 pop rax ; magic
293 cmp rax, RESUME_MAGIC
294 je .magic_ok
295 mov ecx, 0123h
296 mov [ecx], edx
297.magic_ok:
298%endif
299%ifdef RT_OS_WINDOWS
300 movdqa xmm6, [rsp + 000h]
301 movdqa xmm7, [rsp + 010h]
302 movdqa xmm8, [rsp + 020h]
303 movdqa xmm9, [rsp + 030h]
304 movdqa xmm10, [rsp + 040h]
305 movdqa xmm11, [rsp + 050h]
306 movdqa xmm12, [rsp + 060h]
307 movdqa xmm13, [rsp + 070h]
308 movdqa xmm14, [rsp + 080h]
309 movdqa xmm15, [rsp + 090h]
310 add rsp, 0a0h
311%endif
312 popf
313 pop rbx
314%ifdef ASM_CALL64_MSC
315 pop rsi
316 pop rdi
317%endif
318 pop r12
319 pop r13
320 pop r14
321 pop r15
322 pop rbp
323 xor eax, eax ; VINF_SUCCESS
324 ret
325ENDPROC vmmR0CallRing3SetJmp
326
327
328;;
329; Worker for VMMRZCallRing3.
330; This will save the stack and registers.
331;
332; @param pJmpBuf msc:rcx gcc:rdi x86:[ebp+8] Pointer to the jump buffer.
333; @param rc msc:rdx gcc:rsi x86:[ebp+c] The return code.
334;
335BEGINPROC vmmR0CallRing3LongJmp
336 ;
337 ; Save the registers on the stack.
338 ;
339 push rbp
340 SEH64_PUSH_xBP
341 mov rbp, rsp
342 SEH64_SET_FRAME_xBP 0
343 push r15
344 SEH64_PUSH_GREG r15
345 push r14
346 SEH64_PUSH_GREG r14
347 push r13
348 SEH64_PUSH_GREG r13
349 push r12
350 SEH64_PUSH_GREG r12
351%ifdef ASM_CALL64_MSC
352 push rdi
353 SEH64_PUSH_GREG rdi
354 push rsi
355 SEH64_PUSH_GREG rsi
356%endif
357 push rbx
358 SEH64_PUSH_GREG rbx
359 pushf
360 SEH64_ALLOCATE_STACK 8
361%ifdef RT_OS_WINDOWS
362 sub rsp, 0a0h
363 SEH64_ALLOCATE_STACK 0a0h
364 movdqa [rsp + 000h], xmm6
365 movdqa [rsp + 010h], xmm7
366 movdqa [rsp + 020h], xmm8
367 movdqa [rsp + 030h], xmm9
368 movdqa [rsp + 040h], xmm10
369 movdqa [rsp + 050h], xmm11
370 movdqa [rsp + 060h], xmm12
371 movdqa [rsp + 070h], xmm13
372 movdqa [rsp + 080h], xmm14
373 movdqa [rsp + 090h], xmm15
374%endif
375%ifdef VBOX_STRICT
376 push RESUME_MAGIC
377 SEH64_ALLOCATE_STACK 8
378%endif
379SEH64_END_PROLOGUE
380
381 ;
382 ; Normalize the parameters.
383 ;
384%ifdef ASM_CALL64_MSC
385 mov eax, edx ; rc
386 mov rdx, rcx ; pJmpBuf
387%else
388 mov rdx, rdi ; pJmpBuf
389 mov eax, esi ; rc
390%endif
391
392 ;
393 ; Is the jump buffer armed?
394 ;
395 cmp qword [xDX + VMMR0JMPBUF.rip], byte 0
396 je .nok
397
398 ;
399 ; Sanity checks.
400 ;
401 mov rdi, [xDX + VMMR0JMPBUF.pvSavedStack]
402 test rdi, rdi ; darwin may set this to 0.
403 jz .nok
404 mov [xDX + VMMR0JMPBUF.SpResume], rsp
405 %ifndef VMM_R0_SWITCH_STACK
406 mov rsi, rsp
407 mov rcx, [xDX + VMMR0JMPBUF.rsp]
408 sub rcx, rsi
409
410 ; two sanity checks on the size.
411 cmp rcx, VMM_STACK_SIZE ; check max size.
412 jnbe .nok
413
414 ;
415 ; Copy the stack
416 ;
417 test ecx, 7 ; check alignment
418 jnz .nok
419 mov [xDX + VMMR0JMPBUF.cbSavedStack], ecx
420 shr ecx, 3
421 rep movsq
422
423 %endif ; !VMM_R0_SWITCH_STACK
424
425 ; Save a PC and return PC here to assist unwinding.
426.unwind_point:
427 lea rcx, [.unwind_point wrt RIP]
428 mov [xDX + VMMR0JMPBUF.SavedEipForUnwind], rcx
429 mov rcx, [xDX + VMMR0JMPBUF.rbp]
430 lea rcx, [rcx + 8]
431 mov [xDX + VMMR0JMPBUF.UnwindRetPcLocation], rcx
432 mov rcx, [rcx]
433 mov [xDX + VMMR0JMPBUF.UnwindRetPcValue], rcx
434
435 ; Save RSP & RBP to enable stack dumps
436 mov rcx, rbp
437 mov [xDX + VMMR0JMPBUF.SavedEbp], rcx
438 sub rcx, 8
439 mov [xDX + VMMR0JMPBUF.SavedEsp], rcx
440
441 ; store the last pieces of info.
442 mov rcx, [xDX + VMMR0JMPBUF.rsp]
443 mov [xDX + VMMR0JMPBUF.SpCheck], rcx
444 mov byte [xDX + VMMR0JMPBUF.fInRing3Call], 1
445
446 ;
447 ; Do the long jump.
448 ;
449%ifdef RT_OS_WINDOWS
450 movdqa xmm6, [xDX + VMMR0JMPBUF.xmm6 ]
451 movdqa xmm7, [xDX + VMMR0JMPBUF.xmm7 ]
452 movdqa xmm8, [xDX + VMMR0JMPBUF.xmm8 ]
453 movdqa xmm9, [xDX + VMMR0JMPBUF.xmm9 ]
454 movdqa xmm10, [xDX + VMMR0JMPBUF.xmm10]
455 movdqa xmm11, [xDX + VMMR0JMPBUF.xmm11]
456 movdqa xmm12, [xDX + VMMR0JMPBUF.xmm12]
457 movdqa xmm13, [xDX + VMMR0JMPBUF.xmm13]
458 movdqa xmm14, [xDX + VMMR0JMPBUF.xmm14]
459 movdqa xmm15, [xDX + VMMR0JMPBUF.xmm15]
460%endif
461 mov rbx, [xDX + VMMR0JMPBUF.rbx]
462%ifdef ASM_CALL64_MSC
463 mov rsi, [xDX + VMMR0JMPBUF.rsi]
464 mov rdi, [xDX + VMMR0JMPBUF.rdi]
465%endif
466 mov r12, [xDX + VMMR0JMPBUF.r12]
467 mov r13, [xDX + VMMR0JMPBUF.r13]
468 mov r14, [xDX + VMMR0JMPBUF.r14]
469 mov r15, [xDX + VMMR0JMPBUF.r15]
470 mov rbp, [xDX + VMMR0JMPBUF.rbp]
471 mov rsp, [xDX + VMMR0JMPBUF.rsp]
472 push qword [xDX + VMMR0JMPBUF.rflags]
473 popf
474 leave
475 ret
476
477 ;
478 ; Failure
479 ;
480.nok:
481%ifdef VBOX_STRICT
482 pop rax ; magic
483 cmp rax, RESUME_MAGIC
484 je .magic_ok
485 mov ecx, 0123h
486 mov [rcx], edx
487.magic_ok:
488%endif
489 mov eax, VERR_VMM_LONG_JMP_ERROR
490%ifdef RT_OS_WINDOWS
491 add rsp, 0a0h ; skip XMM registers since they are unmodified.
492%endif
493 popf
494 pop rbx
495%ifdef ASM_CALL64_MSC
496 pop rsi
497 pop rdi
498%endif
499 pop r12
500 pop r13
501 pop r14
502 pop r15
503 leave
504 ret
505ENDPROC vmmR0CallRing3LongJmp
506
507
508;;
509; Internal R0 logger worker: Logger wrapper.
510;
511; @cproto VMMR0DECL(void) vmmR0LoggerWrapper(const char *pszFormat, ...)
512;
513BEGINPROC_EXPORTED vmmR0LoggerWrapper
514SEH64_END_PROLOGUE
515 int3
516 int3
517 int3
518 ret
519ENDPROC vmmR0LoggerWrapper
520
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette