Weird behaviour with x86_64 fast syscalls and int3
Posted: Thu Jul 07, 2022 3:54 pm
Here's an excerpt from GDB prompt:
```
(gdb) x/2i $pc
=> 0xffffac4bc2bf5fe1: int3
0xffffac4bc2bf5fe2: int3
(gdb) stepi
0xffffac4bc2bf5fe2 in ?? ()
(gdb)
0xffffac4bc2bed901 in ?? ()
```
You can see that execution passes through the first int3, but the second int3 actually jumps to the handler.
Further experiments showed that whenever the instruction at 0x...fe1 is run, it is treated as 1-byte nop, no matter what byte was there.
For context: I'm playing with the Linux kernel, 0x...fe1 is the value of IA32_LSTAR that I've set (turns out that using a trampoline has the same effect, it's not tied to the LSTAR). The issue is present both on raw QEMU and on KVM, thus I suppose that its on my side and not an emulation bug. I wasn't able to find any info about special treatment of LSTAR/special behaviour of int3/special alignment requirements in the Intel manual.
P.S. When registering, I was asked which fault causes a reboot, with the answer being "triple". The irony is, the very PC I used to register actually hangs when a triple fault is issued (and yes, I can print to screen and it won't disappear, gg)
P.P.S. Bochs wasn't able to boot my test VM to a shell, so haven't tested there.
```
(gdb) x/2i $pc
=> 0xffffac4bc2bf5fe1: int3
0xffffac4bc2bf5fe2: int3
(gdb) stepi
0xffffac4bc2bf5fe2 in ?? ()
(gdb)
0xffffac4bc2bed901 in ?? ()
```
You can see that execution passes through the first int3, but the second int3 actually jumps to the handler.
Further experiments showed that whenever the instruction at 0x...fe1 is run, it is treated as 1-byte nop, no matter what byte was there.
For context: I'm playing with the Linux kernel, 0x...fe1 is the value of IA32_LSTAR that I've set (turns out that using a trampoline has the same effect, it's not tied to the LSTAR). The issue is present both on raw QEMU and on KVM, thus I suppose that its on my side and not an emulation bug. I wasn't able to find any info about special treatment of LSTAR/special behaviour of int3/special alignment requirements in the Intel manual.
P.S. When registering, I was asked which fault causes a reboot, with the answer being "triple". The irony is, the very PC I used to register actually hangs when a triple fault is issued (and yes, I can print to screen and it won't disappear, gg)
P.P.S. Bochs wasn't able to boot my test VM to a shell, so haven't tested there.