|
|
Log in / Subscribe / Register

lea noop

lea noop

Posted Feb 28, 2025 19:41 UTC (Fri) by ushankar (subscriber, #167333)
Parent article: A hole in FineIBT protection

> The lea instruction is essentially a fast no-op

> lea -0x10(%r11), %r11

Doesn't this subtract 0x10 from r11?

to post comments

lea noop

Posted Mar 2, 2025 20:23 UTC (Sun) by andy_shev (subscriber, #75870) [Link]

As far as I can see the -0x10 is the requiremet of the FineIBT calling convention (see cfi.h). I.o.w. it's expected. The idea is that the conditional jump is done into the guts of the lea instruction, which makes it's an illegal sequence (in case it is taken).

lea noop

Posted Mar 10, 2025 2:56 UTC (Mon) by jandryuk (subscriber, #103122) [Link]

I think, yes, lea subtracts 0x10. r11 had the address of func, and __cfi_func is at -0x10. That is the location of the endbr instruction needed for IBT.

https://elixir.bootlin.com/linux/v6.14-rc5/source/arch/x8...


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds