From d2880baef19991270cbcdbdb22622e91815faadc Mon Sep 17 00:00:00 2001
From: Luca Dariz <luca@orpolo.org>
Date: Mon, 27 Feb 2023 21:45:00 +0100
Subject: x86_64: fix user trap during syscall with an invalid user stack

* i386/i386/locore.h: user vm_offset_t in the recovery_table
* x86_64/locore.S: fix RECOVERY() location and keep user regs in %rbx,
  as it seems the convention. This only applies to 32-bit userspace.
Message-Id: <20230227204501.2492152-5-luca@orpolo.org>
---
 i386/i386/locore.h |  4 ++--
 x86_64/locore.S    | 20 ++++++++++----------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/i386/i386/locore.h b/i386/i386/locore.h
index 00da07ad..a8807dbf 100644
--- a/i386/i386/locore.h
+++ b/i386/i386/locore.h
@@ -27,8 +27,8 @@
  * Fault recovery in copyin/copyout routines.
  */
 struct recovery {
-	int	fault_addr;
-	int	recover_addr;
+	vm_offset_t	fault_addr;
+	vm_offset_t	recover_addr;
 };
 
 extern struct recovery recover_table[];
diff --git a/x86_64/locore.S b/x86_64/locore.S
index a2663aff..47d9085c 100644
--- a/x86_64/locore.S
+++ b/x86_64/locore.S
@@ -1157,18 +1157,18 @@ syscall_native:
 	andq	%r10,%r10
 	jz	mach_call_call		/* skip argument copy if none */
 
-	movq	R_UESP(%rbx),%rbx	/* get user stack pointer */
-	addq	$4,%rbx			/* Skip user return address */
-
 	movq	$USER_DS,%rdx		/* use user data segment for accesses */
 	mov	%dx,%fs
 	movq	%rsp,%r11		/* save kernel ESP for error recovery */
 
+	movq	R_UESP(%rbx),%rbp	/* get user stack pointer */
+	addq	$4,%rbp			/* Skip user return address */
+
 #define PARAM(reg,ereg) \
-	RECOVER(mach_call_addr_push) \
 	xorq	%reg,%reg		;\
-	movl	%fs:(%rbx),%ereg	/* 1st parameter */ ;\
-	addq	$4,%rbx			;\
+	RECOVER(mach_call_addr_push) \
+	movl	%fs:(%rbp),%ereg	/* 1st parameter */ ;\
+	addq	$4,%rbp			;\
 	dec	%r10			;\
 	jz	mach_call_call
 
@@ -1179,12 +1179,12 @@ syscall_native:
 	PARAM(r8,r8d)			/* 5th parameter */
 	PARAM(r9,r9d)			/* 6th parameter */
 
-	lea	(%rbx,%r10,4),%rbx	/* point past last argument */
+	lea	(%rbp,%r10,4),%rbp	/* point past last argument */
 	xorq	%r12,%r12
 
-0:	subq	$4,%rbx
+0:	subq	$4,%rbp
 	RECOVER(mach_call_addr_push)
-	movl	%fs:(%rbx),%r12d
+	movl	%fs:(%rbp),%r12d
 	pushq	%r12			/* push argument on stack */
 	dec	%r10
 	jnz	0b			/* loop for all arguments */
@@ -1208,7 +1208,7 @@ mach_call_call:
 
 /*
  * Address out of range.  Change to page fault.
- * %esi holds failing address.
+ * %rsi holds failing address.
  */
 mach_call_addr_push:
 	movq	%r11,%rsp		/* clean parameters from stack */
-- 
cgit v1.2.3