On Fri, 5 Apr 2024 10:56:15 +0200 Jiri Olsa <olsajiri@xxxxxxxxx> wrote: > > > > Can we avoid this with below strict check? > > > > if (ri->stack != regs->sp + expected_offset) > > goto sigill; > > hm the current uprobe 'alive' check makes sure the return_instance is above > or at the same stack address, not sure we can match it exactly, need to think > about that more > > > > > expected_offset should be 16 (push * 3 - ret) on x64 if we ri->stack is the > > regs->sp right after call. > > the syscall trampoline already updates the regs->sp before calling > handle_trampoline > > regs->sp += sizeof(r11_cx_ax); Yes, that is "push * 3" part. And "- ret" is that the stack entry is consumed by the "ret", which is stored by call. 1: |--------| <- sp at function entry == ri->stack 0: |ret-addr| <- call pushed it 0: |ret-addr| <- sp at return trampoline 3: |r11 | <- regs->sp at syscall 2: |rcx | 1: |rax | <- ri->stack 0: |ret-addr| (Note: The lower the line, the larger the address.) Thus, we can check the stack address by (regs->sp + 16 == ri->stack). Thank you, -- Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>
