From: David Laight
> Sent: 21 July 2022 09:22
>
> From: Peter Zijlstra
> > Sent: 20 July 2022 22:13
> ...
> > The prettiest option to obscure the immediate at the callsite I could
> > conjure up is something like:
> >
> > kcfi_caller_linus:
> > movl $0x12345600, %r10d
> > movb $0x78, %r10b
> > cmpl %r10d, -OFFSET(%r11)
> > je 1f
> > ud2
> > 1: call __x86_thunk_indirect_r11
> >
> > Which comes to around 22 bytes (+5 over the original).
>
> You'd be better doing:
> movl $0x12345678-0xaa, %r10d
> addl $0xaa, %r10d
> so that the immediate is obscured even if the low bits are zero.
Actually, can't you use %eax instead of %r10d?
IIRC it is only used for the number of FP registers in a varargs
call - and that isn't used in the kernel.
That removes the 3 'REG' prefixes and lets you use the
2-byte 04-xx instruction to add to %al.
Although I'm sure I remember something about a penalty for
accessing %al just after the full register.
So the 3-byte sign extending add may be better.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)