On Tue, Oct 24, 2023 at 09:00:29PM -0700, Pawan Gupta wrote: > config1: mitigations=on, 32-bit mode, post-boot > > entry_SYSENTER_32: > ... > 0xc1a3748e <+222>: pop %eax > 0xc1a3748f <+223>: verw 0xc1a38240 > 0xc1a37496 <+230>: sti > 0xc1a37497 <+231>: sysexit > > --------------------------------------------- > > config2: mitigations=off, 32-bit mode, post-boot > > entry_SYSENTER_32: > ... > 0xc1a3748e <+222>: pop %eax > 0xc1a3748f <+223>: lea 0x0(%esi,%eiz,1),%esi <---- Doesn't look right > 0xc1a37496 <+230>: sti > 0xc1a37497 <+231>: sysexit > > --------------------------------------------- > > config3: 32-bit mode, pre-boot objdump > > entry_SYSENTER_32: > ... > c8e: 58 pop %eax > c8f: 90 nop > c90: 90 nop > c91: 90 nop > c92: 90 nop > c93: 90 nop > c94: 90 nop > c95: 90 nop > c96: fb sti > c97: 0f 35 sysexit > If you look at arch/x86/include/asm/nops.h, you'll find (for 32bit): * 7: leal 0x0(%esi,%eiz,1),%esi Which reads as: load-effective-address of %esi[0] into %esi which is, of course, just %esi. You can also get this from GAS using: .nops 7 which results in: 0: 8d b4 26 00 00 00 00 lea 0x0(%esi,%eiz,1),%esi It is basically abusing bizarro x86 instruction encoding rules to create a 7 byte nop without using NOPL. If you really want to know, volume 2 of the SDM has a ton of stuff on instruction encoding, also the interweb :-)
