[shadow stack] Keep RSB and CET SS balanced

This fixes an unbalanced return stack that was caused by popping the return address and jumping to it, instead of pushing it back and returning properly. R=leszeks@chromium.org Bug: v8:11246 Change-Id: I5c58c587cc0f5433c0a3595f5ed4c765e90d1a30 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3365267Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#78472}

[shadow stack] Keep RSB and CET SS balanced
This fixes an unbalanced return stack that was caused by popping the return address and jumping to it, instead of pushing it back and returning properly. R=leszeks@chromium.org Bug: v8:11246 Change-Id: I5c58c587cc0f5433c0a3595f5ed4c765e90d1a30 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3365267Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#78472}
6cb5dca1 · Clemens Backes · V8 LUCI CQ · 59bd3d43 · 6cb5dca1
Commit 6cb5dca1 authored Jan 03, 2022 by Clemens Backes Committed by V8 LUCI CQ Jan 04, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

builtins-x64.cc src/builtins/x64/builtins-x64.cc +5 -1

No files found.
--- a/src/builtins/x64/builtins-x64.cc
+++ b/src/builtins/x64/builtins-x64.cc
@@ -4232,8 +4232,12 @@ void CallApiFunctionAndReturn(MacroAssembler* masm, Register function_address,
  } else {
    DCHECK_EQ(stack_space, 0);
    __ PopReturnAddressTo(rcx);
+    // {stack_space_operand} was loaded into {rbx} above.
    __ addq(rsp, rbx);
-    __ jmp(rcx);
+    // Push and ret (instead of jmp) to keep the RSB and the CET shadow stack
+    // balanced.
+    __ PushReturnAddressFrom(rcx);
+    __ ret(0);
  }
  // Re-throw by promoting a scheduled exception.