This patch, which depends on the previous %ebx -> %ebp patch, removes
all pop instruction in the sysenter return path.
This leaks the thread_info address to user mode but this shouldn't be
a security problem.
This is what happens to the various registers:
%eax: return value from system call: already in place
%ebx, %esi, %edi: saved by the C compiler
%ecx, %edx, %ebp: restored by user mode, fixed values by kernels
%esp, eip: copied to %ecx/%edx and restored by sysexit
%ds, %es: initialized to __USER_DS on kernel entry
%cs, %ss: restored by sysexit based on msr
%fs, %gs: not modified by the kernel (saved around context switch)
eflags: not preserved, iopl saved around context switch
FP, XMM: any code that modifies them must save/restore them
Note that while it is possible to change %ebx, %esi, %edi, %ecx, %edx
or %ebp via struct pt_regs, anything that does should set TIF_IRET or
another work flag (and it hopefully already does).
movl TI_FLAGS(%ebp), %ecx
testw $_TIF_ALLWORK_MASK, %cx
jne syscall_exit_work
- RESTORE_INT_REGS
- movl 12(%esp),%edx
- movl 24(%esp),%ecx
+/* if something modifies registers it must also disable sysexit */
+ movl EIP(%esp), %edx
+ movl OLDESP(%esp), %ecx
sti
sysexit
projects / history.git / commitdiff