On 04/11/2019 23:20, Håkon Alstadheim wrote: > > (XEN) RFLAGS=0x00000193 (0x00000193) DR7 = 0x0000000000000400 > <snip> > (XEN) *** Insn bytes from ffffb8868f61d69a: 44 00 00 8c d0 9c 81 0c 24 > 00 01 00 00 9d 8e d0 <fffffff1> 9c 81 24 24 ff fe ff ff 9d c3 cc cc cc > cc cc
Ok. One question answered, several more WTF. 0000000000000000 <.data>: 0: 44 00 00 add %r8b,(%rax) 3: 8c d0 mov %ss,%eax 5: 9c pushfq 6: 81 0c 24 00 01 00 00 orl $0x100,(%rsp) d: 9d popfq e: 8e d0 mov %eax,%ss 10: f1 icebp 11: 9c pushfq 12: 81 24 24 ff fe ff ff andl $0xfffffeff,(%rsp) 19: 9d popfq 1a: c3 retq 1b: cc int3 1c: cc int3 1d: cc int3 1e: cc int3 1f: cc int3 This is a serious exercising of architectural corner cases, by layering a single step exception on top of a MovSS-deferred ICEBP. Now I've looked closer, this isn't a CVE-2018-8897 exploit as no breakpoints are configured in %dr7, so I'm going to revise my guess some new debugger-detection in DRM software. ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
