[prev in list] [next in list] [prev in thread] [next in thread]
List: netbsd-tech-kern
Subject: Situations about PC values in kernel data
From: Yue Chen <ychen.contact () gmail ! com>
Date: 2015-04-11 20:11:19
Message-ID: CAKtBrB5O1+WFzwCE6S_HXzUOp2+Nmoqvub3mBssSjbUf=9Khnw () mail ! gmail ! com
[Download RAW message or body]
Hi,
We are working on a project about OS security.
We wonder in which situations the program counter (PC) value (e.g., the
value in %RIP on x86_64, i.e, instruction address) could be in kernel
(module) data segments (including stack, heap, .rodata, etc.).
Here we mainly care about the addresses/values that are NOT function entry
points since there exist a number of function pointers. Also, we only
consider the normal cases because one can write arbitrary values into a
variable/pointer. And we mainly consider i386, AMD64 and ARM.
Here are some situations I can think about:
function/interrupt/exception/syscall return address on stack; switch/case
jump table target; page fault handler (pcb_onfault on *BSD); restartable
atomic sequences (RAS) registry; thread/process context structure like Task
state segment (TSS), process control block (PCB) and thread control block
(TCB); situations for debugging purposes (e.g., like those in ``segment not
present'' exception handler on FreeBSD, and trace exception handler on
NetBSD). Any other cases?
Additionally, does any of these addresses have offset formats, or special
encodings?
For example, on x86_64, we may use 32-bit RIP-relative (addressing) offset
to represent a 64-bit full address. In glibc's setjmp/longjmp jmp_buf, they
use a special encoding (PTR_MANGLE) for saved register values.
Best thanks and regards,
Yue
[Attachment #3 (text/html)]
<div dir="ltr"><div class="gmail_quote"><div dir="ltr">Hi,<div><br></div><div>We are \
working on a project about OS security.</div><div>We wonder in which situations the \
program counter (PC) value (e.g., the value in %RIP on x86_64, i.e, instruction \
address) could be in kernel (module) data segments (including stack, heap, .rodata, \
etc.).</div><div><br></div><div>Here we mainly care about the addresses/values that \
are NOT function entry points since there exist a number of function pointers. Also, \
we only consider the normal cases because one can write arbitrary values into a \
variable/pointer. And we mainly consider i386, AMD64 and \
ARM.</div><div><br></div><div>Here are some situations I can think \
about:</div><div>function/interrupt/exception/syscall return address on stack; \
switch/case jump table target; page fault handler (pcb_onfault on *BSD); restartable \
atomic sequences (RAS) registry; thread/process context structure like Task state \
segment (TSS), process control block (PCB) and thread control block (TCB); situations \
for debugging purposes (e.g., like those in ``segment not present'' exception \
handler on FreeBSD, and trace exception handler on NetBSD). Any other \
cases?</div><div><br></div><div>Additionally, does any of these addresses have offset \
formats, or special encodings?</div><div>For example, on x86_64, we may use 32-bit \
RIP-relative (addressing) offset to represent a 64-bit full address. In glibc's \
setjmp/longjmp jmp_buf, they use a special encoding (PTR_MANGLE) for saved register \
values.<br></div><div><br></div><div>Best thanks and \
regards,</div><div>Yue</div></div> </div><br></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic