From owner-freebsd-arch@FreeBSD.ORG Sat Apr 11 09:18:59 2015 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A1648916 for ; Sat, 11 Apr 2015 09:18:59 +0000 (UTC) Received: from mail-pd0-x22a.google.com (mail-pd0-x22a.google.com [IPv6:2607:f8b0:400e:c02::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6FCB3883 for ; Sat, 11 Apr 2015 09:18:59 +0000 (UTC) Received: by pdbqa5 with SMTP id qa5so48526677pdb.1 for ; Sat, 11 Apr 2015 02:18:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to:content-type; bh=+m/Aw1ByPVkX8y0Q4tJxEf4gGzm27sivx58/OhSJ5+4=; b=emaPJOrgGPBS8txGxbCOepdJpfNezoWVCp9QevKLJqs4bU+ukcahPEH+zBYZpJUMFA jHYUlNuGqjn5yLLtE8WYTO+NP5+fjUQ9QE7EZrHCtladHjbGsVcJmzZmSP+ozFSmByW4 srLo5UL0HPxAHHh3vBs6SKQnlfd7T9yucTMF1bBBAuVvMyq3MODjy+V8R/YSCuagaIIS gBGyS87ymoO/C4/BTqgARLyYvdxOcxIM+DOYioaRP2J+fBQQAbsXzOkZVeGCM7JO5mj5 vGa08nSpzJ3PaSbBypITTNp/ehTSO5j1i3Ag4RpbVlGaJPjjFa7hh1haIvr8xbSAJwLT 3JUg== X-Received: by 10.66.141.77 with SMTP id rm13mr9709914pab.14.1428743938941; Sat, 11 Apr 2015 02:18:58 -0700 (PDT) MIME-Version: 1.0 Sender: ycyc321@gmail.com Received: by 10.67.2.42 with HTTP; Sat, 11 Apr 2015 02:18:28 -0700 (PDT) From: Yue Chen Date: Sat, 11 Apr 2015 05:18:28 -0400 X-Google-Sender-Auth: u9fTaWSOCxNlA8X1uXIT-sWoPL0 Message-ID: Subject: Situations about PC values in kernel data segments To: freebsd-arch@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Apr 2015 09:18:59 -0000 Dear all, We are working on a project about OS security. We wonder in which situations the program counter (PC) value (e.g., the value in %RIP on x86_64, i.e, instruction address) could be in kernel (module) data segments (including stack, heap, etc.). Here we mainly care about the address/value that are NOT function entry points since there exist a number of function pointers. Also, we only consider the normal cases because one can write arbitrary values into a variable/pointer. And we mainly consider i386, AMD64 and ARM. Here are some situations I can think about: function/interrupt/exception/syscall return address on stack; switch/case jump table target; page fault handler (pcb_onfault on *BSD); restartable atomic sequences (RAS) registry; thread/process context structure like Task state segment (TSS), process control block (PCB) and thread control block (TCB); situations for debugging purposes (e.g., like those in ``segment not present'' exception handler). Additionally, does any of these addresses have offset formats or special encodings? For example, on x86_64, we may use 32-bit RIP-relative (addressing) offset to represent a 64-bit full address. In glibc's setjmp/longjmp jmp_buf, they use a special encoding (PTR_MANGLE) for saved register values. Best thanks and regards, Yue