Reserve %r11 in sandbox=syscalls

zyedidia · Dec 3, 2024 · b07909e · b07909e
1 parent 28fc90b
commit b07909e
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 8 deletions.
diff --git a/lfi-leg/amd64/flags.c b/lfi-leg/amd64/flags.c
@@ -38,7 +38,7 @@ amd64_getflags(enum flags compiler)
         else if (args.boxtype == BOX_BUNDLEJUMPS)
             flags = xasprintf("-ffixed-r11");
         else if (args.boxtype == BOX_SYSCALLS)
-            flags = xasprintf("-ffixed-r14");
+            flags = xasprintf("-ffixed-r14 -ffixed-r11");
         if (args.cfi == CFI_BUNDLE16)
             flags = xasprintf("%s -falign-labels=16 -falign-functions=16", flags);
         else if (args.cfi == CFI_BUNDLE32)

diff --git a/lfi-leg/amd64/tls.leg b/lfi-leg/amd64/tls.leg
@@ -14,9 +14,6 @@
 static int count;
 %}
 
-# TLS accesses must not touch the stack or clobber flags... This makes things a
-# bit complicated.
-
 Top = (ReadTP_rax | ReadTP_any | OpTP_any | OpTP_any_addr) !.
 
 ReadTP_any = 'mov' [qwl]? SEP '%fs:' '0x'? '0' - COMMA r:XREG - {
@@ -42,11 +39,8 @@ OpTP_any_addr = m:NAME '%fs:' a:Addr - COMMA r:REG - {
     mklabel(label);
     mkdirective(".bundle_unlock");
     mkinsn("movq %%rax, %%r11");
-    // tp in %r11, now need to compute movq n(%r11), %r11
-    // Unfortunately the memory access passes have already run,
-    // so we need to manually construct this memory access.
     mkinsn("leaq %s, %%rax", a.unmod);
-    mkinsn("addq %%rax, %%r11");
+    mkinsn("leaq (%%rax, %%r11), %%r11");
     mkinsn("popq %%rax");
     if (args.boxtype < BOX_FULL) {
         // no need to sandbox the load