ntdll: On x86_64, don't access %gs in signal_start_thread().

%gs is not set until call_init_thunk(). Also, adjust other TEB accesses to be consistent with the surrounding functions. Fixes a crash on macOS introduced by 7ae488a2bb ("ntdll: Don't hardcode xstate size in syscall frame.")
2025-03-07 03:53:26 +01:00 · 2024-02-20 21:49:36 -08:00 · 2024-02-20 21:49:36 -08:00 · e628eb2c6f
commit e628eb2c6f
parent 340a4b05b5
2 changed files with 5 additions and 20 deletions
--- a/dlls/ntdll/unix/signal_i386.c
+++ b/dlls/ntdll/unix/signal_i386.c
@ -1618,7 +1618,7 @@ __ASM_GLOBAL_FUNC( call_user_mode_callback,
                   "movl 0x18(%ebp),%edx\n\t"  /* teb */
                   "pushl 0(%edx)\n\t"         /* teb->Tib.ExceptionList */
                   "subl $0x280,%esp\n\t"      /* sizeof(struct syscall_frame) */
-                   "subl %fs:0x204,%esp\n\t"   /* x86_thread_data()->xstate_features_size */
+                   "subl 0x204(%edx),%esp\n\t" /* x86_thread_data()->xstate_features_size */
                   "andl $~63,%esp\n\t"
                   "leal 8(%ebp),%eax\n\t"
                   "movl %eax,0x38(%esp)\n\t"  /* frame->syscall_cfa */
@ -2547,7 +2547,7 @@ __ASM_GLOBAL_FUNC( signal_start_thread,
                   "orl %eax,%eax\n\t"
                   "jnz 1f\n\t"
                   "leal -0x280(%esp),%eax\n\t" /* sizeof(struct syscall_frame) */
-                   "subl %fs:0x204,%eax\n\t"    /* x86_thread_data()->xstate_features_size */
+                   "subl 0x204(%ecx),%eax\n\t"  /* x86_thread_data()->xstate_features_size */
                   "andl $~63,%eax\n\t"
                   "movl %eax,0x1f8(%ecx)\n"    /* x86_thread_data()->syscall_frame */
                   /* switch to kernel stack */
--- a/dlls/ntdll/unix/signal_x86_64.c
+++ b/dlls/ntdll/unix/signal_x86_64.c
@ -1584,12 +1584,7 @@ __ASM_GLOBAL_FUNC( call_user_mode_callback,
                   "movq %rsi,-0x38(%rbp)\n\t" /* ret_ptr */
                   "movq %rdx,-0x40(%rbp)\n\t" /* ret_len */
                   "subq $0x308,%rsp\n\t"      /* sizeof(struct syscall_frame) + exception */
-#ifdef __APPLE__
-                   "movq %gs:0x30,%rsi\n\t"
-                   "movl 0x33c(%rsi),%esi\n\t"
-#else
-                   "movl %gs:0x33c,%esi\n\t"   /* amd64_thread_data()->xstate_features_size */
-#endif
+                   "movl 0x33c(%r8),%esi\n\t"  /* amd64_thread_data()->xstate_features_size */
                   "subq %rsi,%rsp\n\t"
                   "andq $~63,%rsp\n\t"
                   "leaq 0x10(%rbp),%rax\n\t"
@ -1629,12 +1624,7 @@ __ASM_GLOBAL_FUNC( user_mode_callback_return,
                   __ASM_CFI(".cfi_rel_offset %r13,-0x18\n\t")
                   __ASM_CFI(".cfi_rel_offset %r14,-0x20\n\t")
                   __ASM_CFI(".cfi_rel_offset %r15,-0x28\n\t")
-#ifdef __APPLE__
-                   "movq %gs:0x30,%rax\n\t"
-                   "movl 0x33c(%rax),%eax\n\t"
-#else
-                   "movl %gs:0x33c,%eax\n\t"   /* amd64_thread_data()->xstate_features_size */
-#endif
+                   "movl 0x33c(%rcx),%eax\n\t" /* amd64_thread_data()->xstate_features_size */
                   "movq 0x300(%r10,%rax),%rax\n\t" /* exception list */
                   "movq %rax,0(%rcx)\n\t"     /* teb->Tib.ExceptionList */
                   "movq -0x38(%rbp),%r10\n\t"  /* ret_ptr */
@ -2600,12 +2590,7 @@ __ASM_GLOBAL_FUNC( signal_start_thread,
                   "orq %r8,%r8\n\t"
                   "jnz 1f\n\t"
                   "leaq -0x300(%rsp),%r8\n\t"     /* sizeof(struct syscall_frame) */
-#ifdef __APPLE__
-                   "movq %gs:0x30,%rax\n\t"
-                   "movl 0x33c(%rax),%eax\n\t"
-#else
-                   "movl %gs:0x33c,%eax\n\t"       /* amd64_thread_data()->xstate_features_size */
-#endif
+                   "movl 0x33c(%rcx),%eax\n\t"     /* amd64_thread_data()->xstate_features_size */
                   "subq %rax,%r8\n\t"
                   "andq $~63,%r8\n\t"
                   "movq %r8,0x328(%rcx)\n"        /* amd64_thread_data()->syscall_frame */