On Mon, Oct 31, 2022 at 03:54:22PM +1000, Nicholas Piggin wrote: > Could the user set r1 to be equal to the address matching the first > interrupt frame - STACK_INT_FRAME_SIZE, which is in the previous page > due to the kernel redzone, and induce the kernel to load the marker from > there? Possibly it could cause a crash at least.
Yes, the user can set r1 to anything, it is just a general purpose register. This isn't a valid thing to do of course, the ABI requires r1 to point at a valid stack at all times, but it is an obvious attack point if we do not harden against this :-) Segher
