sk4nz/octopus
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Restore optimisation for victim_function() and fix the actual bug: put 'addr' in rax before calling gadget othewise there is a NULL dereference happening at architectural level when optimized

Browse Source
This commit is contained in:
sk4nz 2022-03-29 15:10:04 +02:00
parent daad45152a
commit 1556553f06
1 changed files with 5 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
spectre_v2.c
View File

@ -46,13 +46,7 @@ safe_target()
// function that makes indirect call // function that makes indirect call
// note that addr will be passed to gadget via %rdi // note that addr will be passed to gadget via %rdi
int int
#if defined(__clang__)
victim_function(char* addr, int input) __attribute__ ((optnone))
#elif defined(__GNUC__) || defined(__GNUG__)
__attribute__((optimize("O0"))) victim_function(char* addr, int input)
#else
victim_function(char* addr, int input) victim_function(char* addr, int input)
#endif
{ {
#pragma GCC diagnostic ignored "-Wuninitialized" #pragma GCC diagnostic ignored "-Wuninitialized"
unsigned int result, junk = junk; unsigned int result, junk = junk;
@ -65,10 +59,12 @@ victim_function(char* addr, int input)
junk += input & i; junk += input & i;
} }
// call *target // call *target
__asm volatile("callq *%1\n" __asm volatile(
"mov %%eax, %0\n" "mov %%rax, %2\n"
"callq *%1\n"
"mov %0, %%eax\n"
: "=r" (result) : "=r" (result)
: "r" (*target) : "r" (*target), "r" (addr)
: "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); : "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11");
return result & junk; return result & junk;
} }