From: Peter Zijlstra
Sent: 07 May 2019 09:58
...
- /*
* When we're here from kernel mode; the (exception) stack looks like:** 4*4(%esp) - <previous context>* 3*4(%esp) - flags* 2*4(%esp) - cs* 1*4(%esp) - ip* 0*4(%esp) - orig_eax
Am I right in thinking that this is the only 'INT3' stack frame that needs to be 'fiddled' with? And that the 'emulate a call instruction' has verified that is the case?? So the %cs is always the kernel %cs.
If the 'call target' address is saved in a per-cpu location it ought to be possible to get the code that returns from the INT3 with the call target address (or zero) in %ax. If non-zero, instead of 'pop %ax; iret' execute: xchg %eax, 4(%esp) - swap function address and callers ip push 12(%esp) - old flags mov 14(%esp),%eax - callers address over flags popf - enables interrupts (etc) pop %eax retf - Jump to called function and remove %cs
Nothing else needs to be moved.
David
- Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)