mirror of
https://github.com/chromium/crashpad.git
synced 2025-01-09 13:45:37 +08:00
e04194afd9
TerminateProcess(), like most of the Windows API, is declared WINAPI, which is __stdcall on 32-bit x86. That means that the callee, TerminateProcess() itself, is responsible for cleaning up parameters on the stack on return. In https://crashpad.chromium.org/bug/179, crashes in ExceptionHandlerServer::OnNonCrashDumpEvent() were observed in ways that make it evident that TerminateProcess() has been patched with a __cdecl routine. The crucial difference between __stdcall and __cdecl is that the caller is responsible for stack parameter cleanup in __cdecl. The mismatch means that nobody cleans parameters from the stack, and the stack pointer has an unexpected value, which in the case of the Crashpad handler crash, results in TerminateProcess()’s second argument erroneously being used as the lock address in the call to ReleaseSRWLockExclusive() or LeaveCriticalSection(). As a workaround, on 32-bit x86, call through SafeTerminateProcess(), a custom assembly routine that’s compatible with either __stdcall or __cdecl implementations of TerminateProcess() by not trusting the value of the stack pointer on return from that function. Instead, the stack pointer is restored directly from the frame pointer. Bug: crashpad:179 Test: crashpad_util_test SafeTerminateProcess.*, others Change-Id: If9508f4eb7631020ea69ddbbe4a22eb335cdb325 Reviewed-on: https://chromium-review.googlesource.com/481180 Reviewed-by: Scott Graham <scottmg@chromium.org>
75 lines
2.0 KiB
NASM
75 lines
2.0 KiB
NASM
; Copyright 2017 The Crashpad Authors. All rights reserved.
|
||
;
|
||
; Licensed under the Apache License, Version 2.0 (the "License");
|
||
; you may not use this file except in compliance with the License.
|
||
; You may obtain a copy of the License at
|
||
;
|
||
; http://www.apache.org/licenses/LICENSE-2.0
|
||
;
|
||
; Unless required by applicable law or agreed to in writing, software
|
||
; distributed under the License is distributed on an "AS IS" BASIS,
|
||
; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
; See the License for the specific language governing permissions and
|
||
; limitations under the License.
|
||
|
||
; Detect ml64 assembling for x86_64 by checking for rax.
|
||
ifdef rax
|
||
_M_X64 equ 1
|
||
else
|
||
_M_IX86 equ 1
|
||
endif
|
||
|
||
ifdef _M_IX86
|
||
.586
|
||
.xmm
|
||
.model flat
|
||
|
||
includelib kernel32.lib
|
||
|
||
extern __imp__TerminateProcess@8:proc
|
||
|
||
; namespace crashpad {
|
||
; bool SafeTerminateProcess(HANDLE process, UINT exit_code);
|
||
; } // namespace crashpad
|
||
SAFETERMINATEPROCESS_SYMBOL equ ?SafeTerminateProcess@crashpad@@YA_NPAXI@Z
|
||
|
||
_TEXT segment
|
||
public SAFETERMINATEPROCESS_SYMBOL
|
||
|
||
SAFETERMINATEPROCESS_SYMBOL proc
|
||
|
||
; This function is written in assembler source because it’s important for it
|
||
; to not be inlined, for it to allocate a stack frame, and most critically,
|
||
; for it to not trust esp on return from TerminateProcess().
|
||
; __declspec(noinline) can prevent inlining and #pragma optimize("y", off) can
|
||
; disable frame pointer omission, but there’s no way to force a C compiler to
|
||
; distrust esp, and even if there was a way, it’d probably be fragile.
|
||
|
||
push ebp
|
||
mov ebp, esp
|
||
|
||
push [ebp+12]
|
||
push [ebp+8]
|
||
call dword ptr [__imp__TerminateProcess@8]
|
||
|
||
; Convert from BOOL to bool.
|
||
test eax, eax
|
||
setne al
|
||
|
||
; TerminateProcess() is supposed to be stdcall (callee clean-up), and esp and
|
||
; ebp are expected to already be equal. But if it’s been patched badly by
|
||
; something that’s cdecl (caller clean-up), this next move will get things
|
||
; back on track.
|
||
mov esp, ebp
|
||
pop ebp
|
||
|
||
ret
|
||
|
||
SAFETERMINATEPROCESS_SYMBOL endp
|
||
|
||
_TEXT ends
|
||
|
||
endif
|
||
|
||
end
|