On 02/08/2012 10:03 PM, Indan Zupancic wrote:
You can check the syscall instruction itself, either before it's executed or afterwards by checking the IP. Though that's trickier, because the kernel points the IP to just after int80 for a sysenter call, so you have to check if there's a sysenter nearby too.
No, that's a total nightmare. FAIL.
But the kernel is actually changing the registers, so why hide that? I mean, once user space is aware that the kernel may do swizzling, is there any actual problem left? Because this sounds like user space was trying to be clever, but got it wrong. E.g. it knew the kernel was entered not via int80, but then got confused because of the swizzling.
I would be great if we didn't have an existing compatibility problem. As it is we can't get rid of it easily.
-hpa -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
