From e4e7be6bd9e8a70329f5ceb4f6d66f50e3170ae2 Mon Sep 17 00:00:00 2001 From: Kevin Puetz Date: Thu, 17 Sep 2020 19:52:46 -0500 Subject: [PATCH] rpcrt4: Fix ARM64 stack corruption in call_server_func. calls with stack_size > 16 pop argument values into x3, overwriting the number of 16-byte stack octwords. This breaks the checks for popping x4..x7 and potentially unbalances sp (based on the vaue of args[16..23]). Use a scratch register (x9) for this count so its lifetime does not conflict with preparing the parameter/result registers. Signed-off-by: Kevin Puetz Signed-off-by: Alexandre Julliard --- dlls/rpcrt4/ndr_stubless.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/dlls/rpcrt4/ndr_stubless.c b/dlls/rpcrt4/ndr_stubless.c index 9f579fcfd4b..43debcb91df 100644 --- a/dlls/rpcrt4/ndr_stubless.c +++ b/dlls/rpcrt4/ndr_stubless.c @@ -1180,24 +1180,24 @@ LONG_PTR __cdecl call_server_func(SERVER_ROUTINE func, unsigned char *args, unsi __ASM_GLOBAL_FUNC( call_server_func, "stp x29, x30, [sp, #-16]!\n\t" "mov x29, sp\n\t" - "add x3, x2, #15\n\t" - "lsr x3, x3, #4\n\t" - "sub sp, sp, x3, lsl #4\n\t" + "add x9, x2, #15\n\t" + "lsr x9, x9, #4\n\t" + "sub sp, sp, x9, lsl #4\n\t" "cbz x2, 2f\n" "1:\tsub x2, x2, #8\n\t" "ldr x4, [x1, x2]\n\t" "str x4, [sp, x2]\n\t" "cbnz x2, 1b\n" "2:\tmov x8, x0\n\t" - "cbz x3, 3f\n\t" + "cbz x9, 3f\n\t" "ldp x0, x1, [sp], #16\n\t" - "cmp x3, #1\n\t" + "cmp x9, #1\n\t" "b.le 3f\n\t" "ldp x2, x3, [sp], #16\n\t" - "cmp x3, #2\n\t" + "cmp x9, #2\n\t" "b.le 3f\n\t" "ldp x4, x5, [sp], #16\n\t" - "cmp x3, #3\n\t" + "cmp x9, #3\n\t" "b.le 3f\n\t" "ldp x6, x7, [sp], #16\n" "3:\tblr x8\n\t"