On Fri May 2 11:06:50 2025 +0000, Jinoh Kang wrote:
Since the iret slowpath is triggered, it means the game is either installing instrumentation context or setting context, isn't it? Merely entering the syscall with NT flag is not enough to trigger the bug. If the slowpath is triggered by CONTEXT_CONTROL, it would be automatically handled by !283 since now the EFlags is overwritten by a sanitized value. Otherwise, the game is either using instrumentation callback or setting CONTEXT_INTEGER *only* (w/o _CONTROL). Either case seems unlikely to me. If this is the case, maybe that needs to be documented (as well as tested to prevent regression).
Probably doesn't matter short term, juet curious if I was getting it right, since !283 would make clear-NT-at-iret redundant if my hypothesis is correct and possibly closer to native even. In any case, thanks for your work!