Hi,
We are working on a project about OS security.
We wonder in which situations the program counter (PC) value (e.g., the value in %RIP on x86_64, i.e, instruction address) could be in kernel (module) data segments (including stack, heap, .rodata, etc.).
Here we mainly care about the addresses/values that are NOT function entry points since there exist a number of function pointers. Also, we only consider the normal cases because one can write arbitrary values into a variable/pointer. And we mainly consider i386, AMD64 and ARM.
Here are some situations I can think about:
function/interrupt/exception/syscall return address on stack; switch/case jump table target; page fault handler (pcb_onfault on *BSD); restartable atomic sequences (RAS) registry; thread/process context structure like Task state segment (TSS), process control block (PCB) and thread control block (TCB); situations for debugging purposes (e.g., like those in ``segment not present'' exception handler on FreeBSD, and trace exception handler on NetBSD). Any other cases?
Additionally, does any of these addresses have offset formats, or special encodings?
For example, on x86_64, we may use 32-bit RIP-relative (addressing) offset to represent a 64-bit full address. In glibc's setjmp/longjmp jmp_buf, they use a special encoding (PTR_MANGLE) for saved register values.
Best thanks and regards,
Yue