HomePhabricator

[winasan] Fix hotpatching ntdll!strcpy for Win10 creators edition

Description

[winasan] Fix hotpatching ntdll!strcpy for Win10 creators edition

The 9 byte nop is a suffix of the 10 byte nop, and we need at most 6
bytes.

ntdll's version of strcpy is written in assembly and is very clever.
strcat tail calls strcpy but with a slightly different arrangement of
argument registers at an alternate entry point. It looks like this:

ntdll!strcpy:
00007ffd`64e8a7a0 4c8bd9          mov     r11,rcx
ntdll!__entry_from_strcat_in_strcpy:
00007ffd`64e8a7a3 482bca          sub     rcx,rdx
00007ffd`64e8a7a6 f6c207          test    dl,7

If we overwrite more than two bytes in our interceptor, that label will
no longer be a valid instruction boundary.

By recognizing the 9 byte nop, we use the two byte backwards branch to
start our trampoline, avoiding this issue.

Fixes https://github.com/google/sanitizers/issues/829

Patch by David Major

Details

Committed
rnkAug 8 2017, 2:18 PM
Parents
rL310418: [mips] Enable `long_call/short_call` attributes on MIPS64
Branches
Unknown
Tags
Unknown