From 936d9d6ca52d2ad87cf96107c756b75770dc8eb0 Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <campbell+golang@mumble.net>
Date: Fri, 3 Dec 2021 21:52:28 +0000
Subject: [PATCH] runtime: Check %fs against %rsp across syscalls.

---
 src/syscall/asm_unix_amd64.s | 48 ++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/src/syscall/asm_unix_amd64.s b/src/syscall/asm_unix_amd64.s
index 8ee46b86b5..be8f2bf50a 100644
--- a/src/syscall/asm_unix_amd64.s
+++ b/src/syscall/asm_unix_amd64.s
@@ -17,26 +17,40 @@
 
 TEXT	·Syscall(SB),NOSPLIT,$0-56
 	CALL	runtime·entersyscall(SB)
+	LEAQ	(TLS), AX
+	PUSHQ	AX
 	MOVQ	trap+0(FP), AX	// syscall entry
 	MOVQ	a1+8(FP), DI
 	MOVQ	a2+16(FP), SI
 	MOVQ	a3+24(FP), DX
 	SYSCALL
+	POPQ	DI
 	JCC	ok
 	MOVQ	$-1, r1+32(FP)	// r1
 	MOVQ	$0, r2+40(FP)	// r2
 	MOVQ	AX, err+48(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad
 	CALL	runtime·exitsyscall(SB)
 	RET
 ok:
 	MOVQ	AX, r1+32(FP)	// r1
 	MOVQ	DX, r2+40(FP)	// r2
 	MOVQ	$0, err+48(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad
 	CALL	runtime·exitsyscall(SB)
 	RET
+bad:
+	CALL	runtime·abort(SB)
+	RET
 
 TEXT	·Syscall6(SB),NOSPLIT,$0-80
 	CALL	runtime·entersyscall(SB)
+	LEAQ	(TLS), AX
+	PUSHQ	AX
 	MOVQ	trap+0(FP), AX	// syscall entry
 	MOVQ	a1+8(FP), DI
 	MOVQ	a2+16(FP), SI
@@ -45,37 +59,61 @@ TEXT	·Syscall6(SB),NOSPLIT,$0-80
 	MOVQ	a5+40(FP), R8
 	MOVQ	a6+48(FP), R9
 	SYSCALL
+	POPQ	DI
 	JCC	ok6
 	MOVQ	$-1, r1+56(FP)	// r1
 	MOVQ	$0, r2+64(FP)	// r2
 	MOVQ	AX, err+72(FP)  // errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad6
 	CALL	runtime·exitsyscall(SB)
 	RET
 ok6:
 	MOVQ	AX, r1+56(FP)	// r1
 	MOVQ	DX, r2+64(FP)	// r2
 	MOVQ	$0, err+72(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad6
 	CALL	runtime·exitsyscall(SB)
 	RET
+bad6:
+	CALL	runtime·abort(SB)
+	RET
 
 TEXT	·RawSyscall(SB),NOSPLIT,$0-56
+	LEAQ	(TLS), AX
+	PUSHQ	AX
 	MOVQ	a1+8(FP), DI
 	MOVQ	a2+16(FP), SI
 	MOVQ	a3+24(FP), DX
 	MOVQ	trap+0(FP), AX	// syscall entry
 	SYSCALL
+	POPQ	DI
 	JCC	ok1
 	MOVQ	$-1, r1+32(FP)	// r1
 	MOVQ	$0, r2+40(FP)	// r2
 	MOVQ	AX, err+48(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad1
 	RET
 ok1:
 	MOVQ	AX, r1+32(FP)	// r1
 	MOVQ	DX, r2+40(FP)	// r2
 	MOVQ	$0, err+48(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad1
+	RET
+bad1:
+	CALL	runtime·abort(SB)
 	RET
 
 TEXT	·RawSyscall6(SB),NOSPLIT,$0-80
+	LEAQ	(TLS), AX
+	PUSHQ	AX
 	MOVQ	a1+8(FP), DI
 	MOVQ	a2+16(FP), SI
 	MOVQ	a3+24(FP), DX
@@ -84,13 +122,23 @@ TEXT	·RawSyscall6(SB),NOSPLIT,$0-80
 	MOVQ	a6+48(FP), R9
 	MOVQ	trap+0(FP), AX	// syscall entry
 	SYSCALL
+	POPQ	DI
 	JCC	ok2
 	MOVQ	$-1, r1+56(FP)	// r1
 	MOVQ	$0, r2+64(FP)	// r2
 	MOVQ	AX, err+72(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad2
 	RET
 ok2:
 	MOVQ	AX, r1+56(FP)	// r1
 	MOVQ	DX, r2+64(FP)	// r2
 	MOVQ	$0, err+72(FP)	// errno
+	LEAQ	(TLS), SI
+	CMPQ	DI, SI
+	JNE	bad2
+	RET
+bad2:
+	CALL	runtime·abort(SB)
 	RET