Fix GH-9068: Conditional jump or move depends on uninitialised value(s)

nielsdos · nielsdos · commit 2df928b25c31 · 2023-01-04T18:12:09.000+01:00
See GH-9068 for analysis. This patch preserves the scratch registers of the SysV x86-64 ABI by storing them to local variables and restoring them later. We need to do this to prevent the registers of the caller from being corrupted. The reason these get corrupted is because the compiler is unaware of the Valgrind replacement function and thus makes assumptions about the original function regarding registers which are not true for the replacement function.
diff --git a/Zend/zend_string.c b/Zend/zend_string.c
@@ -374,7 +374,58 @@ ZEND_API void zend_interned_strings_switch_storage(bool request)
 
 ZEND_API bool ZEND_FASTCALL I_REPLACE_SONAME_FNNAME_ZU(NONE,zend_string_equal_val)(zend_string *s1, zend_string *s2)
 {
-	return !memcmp(ZSTR_VAL(s1), ZSTR_VAL(s2), ZSTR_LEN(s1));
+	/*
+	 * See https://github.com/php/php-src/issues/9068
+	 * We need to preserve the scratch registers because we cannot know what
+	 * the compiler assumes to be unchanged by the original
+	 * zend_string_equal_val implementation.
+	 * We can't safely use push and pop on x86-64 because of the red zone.
+	 * Instead, we save the registers to local variables.
+	 */
+#if defined(__GNUC__) && defined(__x86_64__) && !defined(__ILP32__)
+	size_t rdx, rcx, r8, r9, r10, r11;
+	__asm__ __volatile__ (
+		"movq %%rdx, %0\n\t"
+		"movq %%rcx, %1\n\t"
+		"movq %%r8,  %2\n\t"
+		"movq %%r9,  %3\n\t"
+		"movq %%r10, %4\n\t"
+		"movq %%r11, %5\n\t"
+		: "=mr" (rdx),
+		  "=mr" (rcx),
+		  "=mr" (r8),
+		  "=mr" (r9),
+		  "=mr" (r10),
+		  "=mr" (r11)
+	);
+#endif
+
+	int return_value = !memcmp(ZSTR_VAL(s1), ZSTR_VAL(s2), ZSTR_LEN(s1));
+
+	/* Restores the registers which were saved above, including rdi and rsi */
+#if defined(__GNUC__) && defined(__x86_64__) && !defined(__ILP32__)
+	__asm__ __volatile__ (
+		"movq %0, %%rdx\n\t"
+		"movq %1, %%rcx\n\t"
+		"movq %2, %%r8\n\t"
+		"movq %3, %%r9\n\t"
+		"movq %4, %%r10\n\t"
+		"movq %5, %%r11\n\t"
+		"movq %6, %%rdi\n\t"
+		"movq %7, %%rsi\n\t"
+		:
+		: "mr" (rdx),
+		  "mr" (rcx),
+		  "mr" (r8),
+		  "mr" (r9),
+		  "mr" (r10),
+		  "mr" (r11),
+		  "r" (s1),
+		  "r" (s2)
+	);
+#endif
+
+	return return_value;
 }
 
 #if defined(__GNUC__) && defined(__i386__)
