Turning a SIGSEGV into a regular function call under Linux, allowing throw
FeepingCreature
default_357-line at yahoo.de
Tue Mar 13 03:33:51 PDT 2012
On 03/13/12 11:23, deadalnix wrote:
> Le 13/03/2012 11:09, FeepingCreature a écrit :
>> Note: I worked out this method for my own language, Neat, but the basic approach should be portable to D's exceptions as well.
>>
>> I've seen it argued a lot over the years (even argued it myself) that it's impossible to throw from Linux signal handlers. This is basically correct, because they constitute an interruption in the stack that breaks exceptions' ability to unroll properly.
>>
>> However, there is a method to turn a signal handler into a regular function call that you can throw from.
>>
>> Basically, what we need to do is similar to a stack buffer overflow exploit. Under Linux, the extended signal handler that is set with sigaction is called with three arguments: the signal, a siginfo_t* and a ucontext_t* as the third.
>>
>> The third parameter is what we're interested in. Deep inside the ucontext_t struct is uc.mcontext.gregs[REG_EIP], the address of the instruction that caused the segfault. This is the location that execution returns to when the signal handler returns. By overwriting this location, we can turn a return into a function call.
>>
>> First, gregs[REG_EAX] = gregs[REG_EIP];
>>
>> We can safely assume that the function that caused the segfault doesn't really need its EAX anymore, so we can reuse it to reconstruct a proper stackframe to throw from later.
>>
>> Second, gregs[REG_EIP] = cast(void*)&sigsegv_userspace_handler;
>>
>> Note that the naked attribute was not used. If used, it can make this code slightly easier.
>>
>> extern(C) void sigsegv_userspace_handler() {
>> // done implicitly
>> // asm { push ebp; }
>> // asm { mov ebp, esp; }
>> asm { mov ebx, [esp]; } // backup the pushed ebp
>> asm { mov [esp], eax; } // replace it with the correct return address
>> // which was originally left out due to the
>> // irregular way we entered this function (via a ret).
>> asm { push ebx; } // recreate the pushed ebp
>> asm { mov ebp, esp; } // complete stackframe.
>> // originally, our stackframe (because we entered this function via a ret)
>> // was [ebp]. Now, it's [return address][ebp], as is proper for cdecl.
>> // at this point, we can safely throw
>> // (or invoke any other non-handler-safe function).
>> throw new SignalException("SIGSEGV");
>> }
>
> And is this Exception recoverable in a safe way ?
>
I'm not familiar with recovering. Note that you can _not_ safely return from the userspace handler, because we overwrote EAX to make space for our ESI backup.
You'd need to find somewhere else to stick that backup, like a TLS global variable or some known part of the stack.
> The ucontext_t struct is system dependent. So this is tricky.
>
Yeah, this is Linux only.
More information about the Digitalmars-d
mailing list