On Thu, 29 Nov 2018 09:41:33 -0800 Andy Lutomirski <l...@amacapital.net> wrote:
> > On Nov 29, 2018, at 9:21 AM, Steven Rostedt <rost...@goodmis.org> wrote: > > > > On Thu, 29 Nov 2018 12:20:00 -0500 > > Steven Rostedt <rost...@goodmis.org> wrote: > > > > > >> r8 = return address > >> r9 = function to call > >> > > > > Bad example, r8 and r9 are args, but r10 and r11 are available. > > > > -- Steve > > > >> push r8 > >> jmp *r9 > >> > >> Then have the regs->ip point to that trampoline. > > Cute. That’ll need ORC annotations and some kind of retpoline to replace the > indirect jump, though. > Do we really need to worry about retpoline here? I'm not fully up on all the current vulnerabilities, but can this really be taken advantage of when it only happens in the transition of changing a static call with the small chance of one of those calls triggering the break point? If someone can take advantage of that, I almost think they deserve cracking my box ;-) -- Steve