From owner-freebsd-arch@FreeBSD.ORG Fri Apr 17 13:30:53 2015 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 330CC9A1 for ; Fri, 17 Apr 2015 13:30:53 +0000 (UTC) Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [IPv6:2001:470:1f11:75::1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0EEDD10F for ; Fri, 17 Apr 2015 13:30:53 +0000 (UTC) Received: from ralph.baldwin.cx (pool-173-54-116-245.nwrknj.fios.verizon.net [173.54.116.245]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id 1EE84B94C; Fri, 17 Apr 2015 09:30:52 -0400 (EDT) From: John Baldwin To: freebsd-arch@freebsd.org Cc: Yue Chen Subject: Re: Situations about PC values in kernel data segments Date: Fri, 17 Apr 2015 09:22:43 -0400 Message-ID: <6048769.xVxqkDkTGK@ralph.baldwin.cx> User-Agent: KMail/4.14.2 (FreeBSD/10.1-STABLE; KDE/4.14.2; amd64; ; ) In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Fri, 17 Apr 2015 09:30:52 -0400 (EDT) X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Apr 2015 13:30:53 -0000 On Saturday, April 11, 2015 05:18:28 AM Yue Chen wrote: > Dear all, > > We are working on a project about OS security. > We wonder in which situations the program counter (PC) value (e.g., the > value in %RIP on x86_64, i.e, instruction address) could be in kernel > (module) data segments (including stack, heap, etc.). > > Here we mainly care about the address/value that are NOT function entry > points since there exist a number of function pointers. Also, we only > consider the normal cases because one can write arbitrary values into a > variable/pointer. And we mainly consider i386, AMD64 and ARM. > > Here are some situations I can think about: > function/interrupt/exception/syscall return address on stack; switch/case > jump table target; page fault handler (pcb_onfault on *BSD); restartable > atomic sequences (RAS) registry; thread/process context structure like Task > state segment (TSS), process control block (PCB) and thread control block > (TCB); situations for debugging purposes (e.g., like those in ``segment not > present'' exception handler). > > Additionally, does any of these addresses have offset formats or special > encodings? For example, on x86_64, we may use 32-bit RIP-relative > (addressing) offset to represent a 64-bit full address. In glibc's > setjmp/longjmp jmp_buf, they use a special encoding (PTR_MANGLE) for saved > register values. For i386 and amd64, I think all of the code that is executed does live in a .text segment. When pcb_onfault is used it is set to point to code in a .text segment, not anywhere else. Similarly, fault and exception handlers as well as the stub for new threads/processes after fork/thread_create is in .text as well. There are multiple text segments present when modules are loaded of course, but you should be able to enumerate all of those in the linker. -- John Baldwin