On Fri, Jan 11, 2019 at 01:47:01AM +0000, Nadav Amit wrote: > Here is an alternative idea (although similar to Steven’s and my code). > > Assume that we always clobber R10, R11 on static-calls explicitly, as anyhow > should be done by the calling convention (and gcc plugin should allow us to > enforce). Also assume that we hold a table with all source RIP and the > matching target. > > Now, in the int3 handler can you take the faulting RIP and search for it in > the “static-calls” table, writing the RIP+5 (offset) into R10 (return > address) and the target into R11. You make the int3 handler to divert the > code execution by changing pt_regs->rip to point to a new function that does: > > push R10 > jmp __x86_indirect_thunk_r11 > > And then you are done. No?
IIUC, that sounds pretty much like what Steven proposed: https://lkml.kernel.org/r/20181129122000.7fb4f...@gandalf.local.home I liked the idea, BUT, how would it work for callee-saved PV ops? In that case there's only one clobbered register to work with (rax). -- Josh
