x86: Shadow stacks compatibility for interceptor

This patch makes interceptor code compatible with Intel CET shadow
stacks.

* Make the on_leave_trampoline a legit address to return to from a
  CET-enabled intercepted function's point of view.
* Ensure a proper call/ret discipline to not interfere shadow stacks.

On Windows, this means that it will now be possible to intercept
functions that live in CETCOMPAT modules when the user shadow stack
mitigation is active (though not in strict mode).

Author: yjugl

gum/backend-x86/guminterceptor-x86.c

@@ -171,6 +171,7 @@ _gum_interceptor_backend_create_trampoline (GumInterceptorBackend * self,
   GumX86Relocator * rl = &self->relocator;
   GumX86FunctionContextData * data = GUM_FCDATA (ctx);
   GumAddress function_ctx_ptr;
+  gpointer after_push_to_shadow_stack;
   guint reloc_bytes;
 
   if (!gum_interceptor_backend_prepare_trampoline (self, ctx))
@@ -184,11 +185,24 @@ _gum_interceptor_backend_create_trampoline (GumInterceptorBackend * self,
     gum_x86_writer_put_bytes (cw, (guint8 *) &ctx,
         sizeof (GumFunctionContext *));
 
-    ctx->on_enter_trampoline = gum_x86_writer_cur (cw);
+    after_push_to_shadow_stack = gum_x86_writer_cur (cw);
 
+    gum_x86_writer_put_lea_reg_reg_offset (cw, GUM_X86_XSP,
+      GUM_X86_XSP, ((gssize) sizeof (gpointer)));
     gum_x86_writer_put_push_near_ptr (cw, function_ctx_ptr);
     gum_x86_writer_put_jmp_address (cw, GUM_ADDRESS (self->enter_thunk->data));
 
+    ctx->on_enter_trampoline = gum_x86_writer_cur (cw);
+
+    // We use a call instruction to push on_leave_trampoline as a legit return
+    // address on the shadow stack.
+    //
+    // SAFETY: We call to a label that is only a few bytes away, so this will
+    //         only emit a call instruction (not a call-jump combo). So the
+    //         current position of the writer after emission is the exact return
+    //         address that will be pushed on the stack and the shadow stack.
+    gum_x86_writer_put_call_address (cw, GUM_ADDRESS (after_push_to_shadow_stack));
+
     ctx->on_leave_trampoline = gum_x86_writer_cur (cw);
 
     gum_x86_writer_put_push_near_ptr (cw, function_ctx_ptr);
@@ -338,7 +352,7 @@ gum_emit_enter_thunk (GumX86Writer * cw)
       GUM_ARG_REGISTER, GUM_X86_XDX,
       GUM_ARG_REGISTER, GUM_X86_XCX);
 
-  gum_emit_epilog (cw);
+  gum_emit_epilog (cw, FALSE);
 }
 
 static void
@@ -359,7 +373,7 @@ gum_emit_leave_thunk (GumX86Writer * cw)
       GUM_ARG_REGISTER, GUM_X86_XSI,
       GUM_ARG_REGISTER, GUM_X86_XDX);
 
-  gum_emit_epilog (cw);
+  gum_emit_epilog (cw, TRUE);
 }
 
 static void
@@ -401,7 +415,7 @@ gum_emit_prolog (GumX86Writer * cw,
 }
 
 static void
-gum_emit_epilog (GumX86Writer * cw)
+gum_emit_epilog (GumX86Writer * cw, gboolean do_ret)
 {
   guint8 fxrstor[] = {
     0x0f, 0xae, 0x0c, 0x24 /* fxrstor [esp] */
@@ -415,5 +429,15 @@ gum_emit_epilog (GumX86Writer * cw)
                                           GumCpuContext.xip */
   gum_x86_writer_put_popax (cw);
   gum_x86_writer_put_popfx (cw);
-  gum_x86_writer_put_ret (cw);
+
+  if (do_ret) {
+    gum_x86_writer_put_ret (cw);
+  }
+  else {
+    // emulates a ret, but does not affect the shadow stack
+    gum_x86_writer_put_lea_reg_reg_offset (cw, GUM_X86_XSP,
+      GUM_X86_XSP, ((gssize) sizeof (gpointer)));
+    gum_x86_writer_put_jmp_reg_offset_ptr (cw, GUM_X86_XSP,
+      -((gssize) sizeof (gpointer)));
+  }
 }

gum/guminterceptor.c

@@ -1619,12 +1619,21 @@ _gum_function_context_begin_invocation (GumFunctionContext * function_ctx,
 
   if (!will_trap_on_leave)
   {
-    g_atomic_int_dec_and_test (&function_ctx->trampoline_usage_counter);
+    goto bypass;
   }
 
   return;
 
 bypass:
+  // pop on_leave_trampoline from the shadow stack
+#if defined (HAVE_I386)
+# if GLIB_SIZEOF_VOID_P == 4
+  _incsspd(1);
+#  else
+  _incsspq(1);
+#  endif
+#endif
+
   g_atomic_int_dec_and_test (&function_ctx->trampoline_usage_counter);
 }