Closed weiwenhao closed 1 month ago
>0x60e1a0 <libucontext_trampoline> mov (%rbx),%rdi │ │ 0x60e1a3 <libucontext_trampoline+3> test %rdi,%rdi │ │ 0x60e1a6 <libucontext_trampoline+6> je 0x60e1b0 <libucontext_trampoline+16> │ │ 0x60e1a8 <libucontext_trampoline+8> jmpq 0x60e1ba <setcontext> │ │ 0x60e1ad <libucontext_trampoline+13> nopl (%rax) │ │ 0x60e1b0 <libucontext_trampoline+16> sub $0x8,%rsp │ │ 0x60e1b4 <libucontext_trampoline+20> callq 0x60e69c <exit>
When I finish executing ctx fn and modify the rbx register within fn, returning to the old ctx, mov (%rbx) is unable to read the correct stack base address.
Yes, %rbx holds the link pointer address. Changing it will break the trampoline.
When I finish executing ctx fn and modify the rbx register within fn, returning to the old ctx, mov (%rbx) is unable to read the correct stack base address.