On Fri, Sep 11, 2020 at 05:41:47PM -0500, Qing Zhao wrote: > > On Sep 11, 2020, at 4:51 PM, Segher Boessenkool > > <seg...@kernel.crashing.org> wrote: > > It is definitely *not* effective if there are gadgets that set rax to > > a value the attacker wants and then do a syscall. > > You mean the following gadget: > > > Gadget 1: > > mov rax, value > syscall > ret
No, just mov rax,59 syscall (no ret necessary!) I.e. just anything that already does an execve. Segher
