Open kovdan01 opened 1 month ago
There are several places, where unsigned x30 (LR) is stored in memory, being vulnerable for substitution.
crt/aarch64/crtn.s and crt/aarch64/crti.s - load/store or LR in context of .init and .fini (not to be messed up with .init_array and .fini_array)
.init
.fini
.init_array
.fini_array
src/signal/aarch64/sigsetjmp.s - store/load of unsigned LR in prologue/epilogue
src/setjmp/aarch64/setjmp.s - store unsigned LR to jump context structure
src/setjmp/aarch64/longjmp.s - restore unsigned LR from jump context structure
Tagging @asl
kovdan01
commented
1 month ago kovdan01
commented
1 month ago
There are several places, where unsigned x30 (LR) is stored in memory, being vulnerable for substitution.
crt/aarch64/crtn.s and crt/aarch64/crti.s - load/store or LR in context of
.initand.fini(not to be messed up with.init_arrayand.fini_array)src/signal/aarch64/sigsetjmp.s - store/load of unsigned LR in prologue/epilogue
src/setjmp/aarch64/setjmp.s - store unsigned LR to jump context structure
src/setjmp/aarch64/longjmp.s - restore unsigned LR from jump context structure