flat assembler
Message board for the users of flat assembler.

Index > Main > Temporary storage using wrfsbase/wrgsbase

Author
Thread Post new topic Reply to topic
MaoKo



Joined: 07 May 2019
Posts: 95
Location: Paris/French
MaoKo
Hello. I have a question just for fun. It's rare that in x64 you run out of registers in a function.
And when this happen you use the RAM (stack or "global" variable). But I'm wonder if it's good practice to use the MSR with (wrfsbase, wrgsbase) for temporary storage. Of course if you don't use fs/gs. Anyone has already done this?
Post 21 Jan 2021, 10:42
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18073
Location: In your JS exploiting you and your system
revolution
In user mode you will likely have trouble with those generating an illegal instruction exception.

So, no, I doubt anyone will do this.
Post 21 Jan 2021, 10:54
View user's profile Send private message Visit poster's website Reply with quote
MaoKo



Joined: 07 May 2019
Posts: 95
Location: Paris/French
MaoKo
Are you sure? It's generate #UD in protected mode and below but not in long mode. And you can use them in userland.
Post 21 Jan 2021, 10:58
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18073
Location: In your JS exploiting you and your system
revolution
Which OS do you use?
Post 21 Jan 2021, 11:00
View user's profile Send private message Visit poster's website Reply with quote
MaoKo



Joined: 07 May 2019
Posts: 95
Location: Paris/French
MaoKo
Linux
Post 21 Jan 2021, 11:02
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18073
Location: In your JS exploiting you and your system
revolution
Does this work for you?
Code:
format elf64 executable 3 at 1 shl 20
entry main

SYS_EXIT = 60

segment executable

main:
        lea     rax,[rip]
        mov     rcx,not 0xfffff
        and     rax,rcx
        wrfsbase rax
        mov     eax,SYS_EXIT
        xor     edi,edi
        syscall    
Post 21 Jan 2021, 11:03
View user's profile Send private message Visit poster's website Reply with quote
MaoKo



Joined: 07 May 2019
Posts: 95
Location: Paris/French
MaoKo
yes nothing to report. No crash.
Code:
execve("./c", ["./c"], 0x7ffefe13f940 /* 42 vars */) = 0
exit(0)                                 = ?
+++ exited with 0 +++
    
Post 21 Jan 2021, 11:05
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18073
Location: In your JS exploiting you and your system
revolution
Post 21 Jan 2021, 11:08
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18073
Location: In your JS exploiting you and your system
revolution
Looking at the docs it says non-canonical addresses will fault.

Try this:
Code:
format elf64 executable 3 at 1 shl 20
entry main

SYS_EXIT = 60

segment executable

main:
        mov     rax,0x5555555555555555 ; bad address
        wrfsbase rax
        mov     eax,SYS_EXIT
        xor     edi,edi
        syscall    
Post 21 Jan 2021, 11:13
View user's profile Send private message Visit poster's website Reply with quote
MaoKo



Joined: 07 May 2019
Posts: 95
Location: Paris/French
MaoKo
Ha ok. I didn't known how intel took time to implement this.
Post 21 Jan 2021, 11:14
View user's profile Send private message Reply with quote
MaoKo



Joined: 07 May 2019
Posts: 95
Location: Paris/French
MaoKo
Yes it's segfault. It's not canonical.
Code:
execve("./d", ["./d"], 0x7ffc6d7909d0 /* 42 vars */) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
+++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)
    
Post 21 Jan 2021, 11:16
View user's profile Send private message Reply with quote
MaoKo



Joined: 07 May 2019
Posts: 95
Location: Paris/French
MaoKo
You can only store only 48-bit. It's better than nothing Razz
Post 21 Jan 2021, 11:22
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18073
Location: In your JS exploiting you and your system
revolution
So you can use it to store address values, on recent AMD CPUs, in Linux (not sure about Windows), only.

Too many restrictions IMO.
Post 21 Jan 2021, 11:23
View user's profile Send private message Visit poster's website Reply with quote
MaoKo



Joined: 07 May 2019
Posts: 95
Location: Paris/French
MaoKo
The problem is that on intel when you write a zero selector to fs the fsbase is clear and unchanged in ADM.
This lead to not very portable behavior Sad.
Code:

format ELF64 executable 3H
entry _start

segment executable readable

_start:
    mov rax, 0FEEDH
    wrfsbase rax
    xor ax, ax
    mov es, ax
    mov ds, ax
    mov fs, ax
    rdfsbase rax ; rax = 0H
    int3
    mov rax, 03CH
    syscall
    
Post 21 Jan 2021, 14:33
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.