From: Peter Zijlstra > Sent: 07 May 2019 09:58 ... > + /* > + * When we're here from kernel mode; the (exception) stack looks like: > + * > + * 4*4(%esp) - <previous context> > + * 3*4(%esp) - flags > + * 2*4(%esp) - cs > + * 1*4(%esp) - ip > + * 0*4(%esp) - orig_eax Am I right in thinking that this is the only 'INT3' stack frame that needs to be 'fiddled' with? And that the 'emulate a call instruction' has verified that is the case?? So the %cs is always the kernel %cs. If the 'call target' address is saved in a per-cpu location it ought to be possible to get the code that returns from the INT3 with the call target address (or zero) in %ax. If non-zero, instead of 'pop %ax; iret' execute: xchg %eax, 4(%esp) - swap function address and callers ip push 12(%esp) - old flags mov 14(%esp),%eax - callers address over flags popf - enables interrupts (etc) pop %eax retf - Jump to called function and remove %cs Nothing else needs to be moved. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
