On 14/10/24, Andy Lutomirski wrote:
On Fri, Oct 24, 2014 at 1:19 PM, H. Peter Anvin <hpa(a)zytor.com>
wrote:
> On 10/23/2014 12:38 PM, Eric Paris wrote:
>>> After the call __audit_syscall_entry aren't they already polluted?
>>> Isn't that the reason we need to reload EAX?
>>
>> Well, I guess EAX is special...
>
> Because system calls are "asmlinkage", all the parameters are on the
> stack, but %eax is used as the index into the system call table. This
> should thus be fine until we get rid of regparm(0) entirely, if that
> ever happens.
...and because __audit_syscall_entry *isn't* asmlinkage, it uses the
other convention, which is where the confusion comes from. And, by
the time you get to sysenter_do_call, nothing cares about ecx, so you
can freely clobber it while popping from the stack. I get it now.
So you could just as easily clobber %eax since that'll be restored from
PT_EAX(%esp) anyways in the following step...
Or instead of popping these two values, could ajust the stack with
addl $8,%esp
CFI_ADJUST_CFA_OFFSET -8
since we don't need either value popped off the stack?
--Andy
> -hpa
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545