flat assembler
Message board for the users of flat assembler.

Index > Main > Temporary storage using wrfsbase/wrgsbase

Author
Thread Post new topic Reply to topic
MaoKo



Joined: 07 May 2019
Posts: 100
Location: Paris/French
MaoKo 21 Jan 2021, 10:42
Hello. I have a question just for fun. It's rare that in x64 you run out of registers in a function.
And when this happen you use the RAM (stack or "global" variable). But I'm wonder if it's good practice to use the MSR with (wrfsbase, wrgsbase) for temporary storage. Of course if you don't use fs/gs. Anyone has already done this?
Post 21 Jan 2021, 10:42
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 21 Jan 2021, 10:54
In user mode you will likely have trouble with those generating an illegal instruction exception.

So, no, I doubt anyone will do this.
Post 21 Jan 2021, 10:54
View user's profile Send private message Visit poster's website Reply with quote
MaoKo



Joined: 07 May 2019
Posts: 100
Location: Paris/French
MaoKo 21 Jan 2021, 10:58
Are you sure? It's generate #UD in protected mode and below but not in long mode. And you can use them in userland.
Post 21 Jan 2021, 10:58
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 21 Jan 2021, 11:00
Which OS do you use?
Post 21 Jan 2021, 11:00
View user's profile Send private message Visit poster's website Reply with quote
MaoKo



Joined: 07 May 2019
Posts: 100
Location: Paris/French
MaoKo 21 Jan 2021, 11:02
Linux
Post 21 Jan 2021, 11:02
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 21 Jan 2021, 11:03
Does this work for you?
Code:
format elf64 executable 3 at 1 shl 20
entry main

SYS_EXIT = 60

segment executable

main:
        lea     rax,[rip]
        mov     rcx,not 0xfffff
        and     rax,rcx
        wrfsbase rax
        mov     eax,SYS_EXIT
        xor     edi,edi
        syscall    
Post 21 Jan 2021, 11:03
View user's profile Send private message Visit poster's website Reply with quote
MaoKo



Joined: 07 May 2019
Posts: 100
Location: Paris/French
MaoKo 21 Jan 2021, 11:05
yes nothing to report. No crash.
Code:
execve("./c", ["./c"], 0x7ffefe13f940 /* 42 vars */) = 0
exit(0)                                 = ?
+++ exited with 0 +++
    
Post 21 Jan 2021, 11:05
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 21 Jan 2021, 11:08
Post 21 Jan 2021, 11:08
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 21 Jan 2021, 11:13
Looking at the docs it says non-canonical addresses will fault.

Try this:
Code:
format elf64 executable 3 at 1 shl 20
entry main

SYS_EXIT = 60

segment executable

main:
        mov     rax,0x5555555555555555 ; bad address
        wrfsbase rax
        mov     eax,SYS_EXIT
        xor     edi,edi
        syscall    
Post 21 Jan 2021, 11:13
View user's profile Send private message Visit poster's website Reply with quote
MaoKo



Joined: 07 May 2019
Posts: 100
Location: Paris/French
MaoKo 21 Jan 2021, 11:14
Ha ok. I didn't known how intel took time to implement this.
Post 21 Jan 2021, 11:14
View user's profile Send private message Visit poster's website Reply with quote
MaoKo



Joined: 07 May 2019
Posts: 100
Location: Paris/French
MaoKo 21 Jan 2021, 11:16
Yes it's segfault. It's not canonical.
Code:
execve("./d", ["./d"], 0x7ffc6d7909d0 /* 42 vars */) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
+++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)
    
Post 21 Jan 2021, 11:16
View user's profile Send private message Visit poster's website Reply with quote
MaoKo



Joined: 07 May 2019
Posts: 100
Location: Paris/French
MaoKo 21 Jan 2021, 11:22
You can only store only 48-bit. It's better than nothing Razz
Post 21 Jan 2021, 11:22
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 21 Jan 2021, 11:23
So you can use it to store address values, on recent AMD CPUs, in Linux (not sure about Windows), only.

Too many restrictions IMO.
Post 21 Jan 2021, 11:23
View user's profile Send private message Visit poster's website Reply with quote
MaoKo



Joined: 07 May 2019
Posts: 100
Location: Paris/French
MaoKo 21 Jan 2021, 14:33
The problem is that on intel when you write a zero selector to fs the fsbase is clear and unchanged in ADM.
This lead to not very portable behavior Sad.
Code:

format ELF64 executable 3H
entry _start

segment executable readable

_start:
    mov rax, 0FEEDH
    wrfsbase rax
    xor ax, ax
    mov es, ax
    mov ds, ax
    mov fs, ax
    rdfsbase rax ; rax = 0H
    int3
    mov rax, 03CH
    syscall
    
Post 21 Jan 2021, 14:33
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.