From 3812935d9c78ede65b60fcf8bc6bdd1279e45f77 Mon Sep 17 00:00:00 2001
From: asj5b <asj5b@git.zephyr-software.com>
Date: Wed, 9 Nov 2016 22:07:07 +0000
Subject: [PATCH] Zero canary changes

Former-commit-id: e727dcb9465e3993ceb5a0b046d2f8972ffd00e0
---
 tools/transforms/Rewrite_Utility.cpp | 34 ++++++++++++++++++++++++++++
 tools/transforms/Rewrite_Utility.hpp |  1 +
 2 files changed, 35 insertions(+)

diff --git a/tools/transforms/Rewrite_Utility.cpp b/tools/transforms/Rewrite_Utility.cpp
index ccbdbb9b5..131f3705f 100644
--- a/tools/transforms/Rewrite_Utility.cpp
+++ b/tools/transforms/Rewrite_Utility.cpp
@@ -352,10 +352,12 @@ Instruction_t* insertCanaryCheckBefore(FileIR_t* virp,Instruction_t *first, unsi
 
 	ss<<"cmp dword ["<<sp_reg;
 
+	bool esp_neg=false;
 	if(esp_offset <0)
 	{
 		ss<<"-";
 		esp_offset = esp_offset*-1;
+		esp_neg=true;
 	}
 	else
 		ss<<"+";
@@ -364,16 +366,48 @@ Instruction_t* insertCanaryCheckBefore(FileIR_t* virp,Instruction_t *first, unsi
 
 	//Insert the cmp before 
 	Instruction_t* next = insertAssemblyBefore(virp,first,ss.str());
+
 	//Then insert the jmp after the compare. 
 	//The fallthrough of the inserted jmp will be a copy of the original
 	//instruction, still pointed to by "first".
 	insertDataBitsAfter(virp,first,getJnzDataBits(),fail_code);
 	first->SetComment("Canary Check: "+first->GetComment());
 
+	//TODO: move canary zero to option 
+	if(esp_neg)
+		esp_offset *= -1;
+	insertCanaryZeroAfter(virp,first,esp_offset,fail_code); 
+
 	return next;
 
 }
 
+Instruction_t* insertCanaryZeroAfter(FileIR_t* virp, Instruction_t *first, int esp_offset, Instruction_t *fail_code)
+{
+	stringstream ss;
+	const char *sp_reg="esp";
+        if(virp->GetArchitectureBitWidth()==64)
+                sp_reg="rsp";
+
+        ss<<"mov dword ["<<sp_reg;
+
+        if(esp_offset <0)
+        {
+                ss<<"-";
+                esp_offset = esp_offset*-1;
+        }
+        else
+                ss<<"+";
+
+        ss<<"0x"<<hex<<esp_offset<<"], 0x0";
+
+        //Insert the cmp before 
+        Instruction_t* next = insertAssemblyAfter(virp,first,ss.str());
+        first->SetComment("Canary Zero: "+first->GetComment());
+
+        return next;
+}
+
 Relocation_t* createNewRelocation(FileIR_t* firp, Instruction_t* insn, string type, int offset)
 {
         Relocation_t* reloc=new Relocation_t;
diff --git a/tools/transforms/Rewrite_Utility.hpp b/tools/transforms/Rewrite_Utility.hpp
index b4b115c46..9d34c4b7a 100644
--- a/tools/transforms/Rewrite_Utility.hpp
+++ b/tools/transforms/Rewrite_Utility.hpp
@@ -74,6 +74,7 @@ Instruction_t* getHandlerCode(FileIR_t* virp, Instruction_t* fallthrough, mitiga
 //Returns the pointer for the copied "first" instruction, which is at the
 //end of the canary check block of instructions. 
 Instruction_t* insertCanaryCheckBefore(FileIR_t* virp,Instruction_t *first, unsigned int canary_val, int ret_offset, Instruction_t *fail_code); 
+Instruction_t* insertCanaryZeroAfter(FileIR_t* virp, Instruction_t *first, int esp_offset, Instruction_t *fail_code);
 
 Relocation_t* createNewRelocation(FileIR_t* firp, Instruction_t* insn, string type, int offset);
 
-- 
GitLab