Skip to content

Fix return address hijacking with CET #109074

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 22, 2024
Merged

Fix return address hijacking with CET #109074

merged 3 commits into from
Oct 22, 2024

Conversation

janvorli
Copy link
Member

There is a problematic case when return address is hijacked while in a managed method that tail calls a GC write barrier and when CET is enabled. The write barrier code can change while the handler for the hijacked address is executed from the vectored exception handler. When the vectored exception handler then returns to the write barrier to re-execute the ret instruction that has triggered the vectored exception handler due to the main stack containing a different address than the shadow stack (now with the main stack fixed), the instruction may no longer be ret due to the change of the write barrier change.

This change fixes it by setting the context to return to from the vectored exception handler to point to the caller and setting the Rsp and SSP to match that. That way, the write barrier code no longer matters.

@janvorli
Fix return address hijacking with CET
675c7cc 
There is a problematic case when return address is hijacked while in a
managed method that tail calls a GC write barrier and when CET is
enabled. The write barrier code can change while the handler for the
hijacked address is executed from the vectored exception handler.
When the vectored exception handler then returns to the write barrier to
re-execute the `ret` instruction that has triggered the vectored
exception handler due to the main stack containing a different address
than the shadow stack (now with the main stack fixed), the instruction
may no longer be `ret` due to the change of the write barrier change.

This change fixes it by setting the context to return to from the
vectored exception handler to point to the caller and setting the Rsp
and SSP to match that. That way, the write barrier code no longer
matters.
@janvorli janvorli added this to the 9.0.0 milestone Oct 21, 2024
@janvorli janvorli requested a review from VSadov October 21, 2024 13:21
@janvorli janvorli self-assigned this Oct 21, 2024
@jkotas
Copy link
Member

jkotas commented Oct 21, 2024

Should the same change be made in naot to keep the two implementations in sync?

runtime/src/coreclr/nativeaot/Runtime/EHHelpers.cpp

Lines 551 to 556 in 061941a

if (areShadowStacksEnabled)
{
// Undo the "pop", so that the ret could now succeed.
interruptedContext->SetSp(interruptedContext->GetSp() - 8);
interruptedContext->SetIp(origIp);
}

@VSadov
Copy link
Member

VSadov commented Oct 21, 2024

NativeAOT does not require the fix, but it would be better if implementations match.

LGTM, otherwise. Thanks!!

@janvorli
Copy link
Member Author

I've just added commit with the nativeaot change. But I would like to know your opinion on where should the newly added GetSSP and SetSSP be.and whether they should be made a PAL API or not. Their implementation needs the windows headers to be included or the new types / API it uses redefined.

@VSadov
Copy link
Member

VSadov commented Oct 22, 2024

I would like to know your opinion on where should the newly added GetSSP and SetSSP be.and whether they should be made a PAL API or not.

That seems fine to me. That is where I'd put the helpers as well.

This was referenced Oct 22, 2024
Open
Open
@janvorli janvorli merged commit 4794a57 into dotnet:main Oct 22, 2024
90 checks passed
@VSadov VSadov mentioned this pull request Oct 23, 2024
Closed
@janvorli
Copy link
Member Author

janvorli commented Nov 5, 2024

/backport to release/9.0-staging

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 5, 2024

Started backporting to release/9.0-staging: https://github.com/dotnet/runtime/actions/runs/11686309680

@github-actions github-actions bot mentioned this pull request Nov 5, 2024
Merged
4 tasks
@stephentoub stephentoub mentioned this pull request Dec 6, 2024
Closed
@github-actions github-actions bot locked and limited conversation to collaborators Dec 6, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@VSadov VSadov VSadov approved these changes

@MichalStrehovsky MichalStrehovsky Awaiting requested review from MichalStrehovsky MichalStrehovsky is a code owner

Assignees

@janvorli janvorli

Labels
area-VM-coreclr
Projects
None yet
Milestone
9.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@janvorli @jkotas @VSadov