On Wed Jan 22 17:46:41 2025 +0000, Paul Gofman wrote:
I didn't look in all the details or test that, but one thing that stands out to me in this patch is that analyzing instructions at fault address is very unfortunate. First, I suspect the way it is written now it may crash at handler if the under instruction pointer is not accessible (see is_privileged_instr() for the proper handling). That could be solved but analyzing the instructions here is also very unfortunate. It is a lot of complication and there are probably cases which are not covered by the current code, e. g., there could be some extra no-op prefixes which are frequently encountered in obfuscated code. Maybe a better way would be to check for the gsbase in the handler and if it is unexpected set it to the right value and continue from the faulted instruction? Do you have any real app depending on that or is it just to fix the test?
That, and if it segfaults on a %gs-based instruction for reasons other than bad gsbase (multiple segment prefixes, or code pointer in nonexecutable page, for example), won't that give an infinite loop of the same segfault?