Skip to content

amd64's SigreturnFrame is slightly wrong #2439

New issue
New issue
Open
Open
amd64's SigreturnFrame is slightly wrong#2439
Labels
backport-requiredbug
@sasha-999

Description

@sasha-999
sasha-999
opened on Aug 11, 2024

Hey! This isn't something I ran into when using pwntools, more like something I noticed from the source code (hence the lack of debug output etc.)
As of writing this, the most recent version of pwntools define the offsets for amd64's SigreturnFrame as follows:

pwntools/pwnlib/rop/srop.py

Lines 182 to 188 in 405357c

# Reference : https://www.cs.vu.nl/~herbertb/papers/srop_sp14.pdf
'amd64': {0: 'uc_flags', 8: '&uc', 16: 'uc_stack.ss_sp', 24: 'uc_stack.ss_flags',
32: 'uc_stack.ss_size', 40: 'r8', 48: 'r9', 56: 'r10', 64: 'r11', 72: 'r12',
80: 'r13', 88: 'r14', 96: 'r15', 104: 'rdi', 112: 'rsi', 120: 'rbp', 128: 'rbx',
136: 'rdx', 144: 'rax', 152: 'rcx', 160: 'rsp', 168: 'rip', 176: 'eflags',
184: 'csgsfs', 192: 'err', 200: 'trapno', 208: 'oldmask', 216: 'cr2',
224: '&fpstate', 232: '__reserved', 240: 'sigmask'},

Notably, sigmask is at offset 240, and __reserved is defined as being 8 bytes big. However when you look at the linux kernel source code:

https://elixir.bootlin.com/linux/v6.10/source/arch/x86/include/uapi/asm/sigcontext.h#L376
image

The __reserved field is actually an array of 8 u64s, which is a total of 64 bytes, causing the sigmask field to be 56 bytes short of where it should be. You can also verify this by debugging the amd64 kernel:

image

While this isn't a massive issue, as most people wouldn't care about sigmask, I still felt like I might as well bring it up, and you can decide whether its worth fixing.

Metadata

Metadata

Assignees

No one assigned

    Labels

    backport-requiredbug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions