1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
.section ".tbss", "awT", @nobits
.globl bg1, bg2, bg3, bg4, bg5, bg6, bg7, bg8
bg1: .space 4
bg2: .space 4
bg3: .space 4
bg4: .space 4
bg5: .space 4
bg6: .space 4
bg7: .space 4
bg8: .space 4
bl1: .space 4
bl2: .space 4
bl3: .space 4
bl4: .space 4
bl5: .space 4
bl6: .space 4
bl7: .space 4
bl8: .space 4
.text
.globl _start
.type _start,@function
_start:
pushq %rbp
movq %rsp, %rbp
/* IE against global var */
movq %fs:0, %r11
nop;nop
addq sG6@gottpoff(%rip), %r11
nop;nop;nop;nop
/* IE -> LE against global var defined in exec */
movq %fs:0, %rdx
nop;nop
addq bg6@gottpoff(%rip), %rdx
nop;nop;nop;nop
/* IE -> LE against local var */
movq %fs:0, %r12
nop;nop
addq bl6@gottpoff(%rip), %r12
nop;nop;nop;nop
/* direct %fs access IE -> LE against local var */
movq bl8@gottpoff(%rip), %rdx
nop;nop
movq %fs:(%rdx), %rax
nop;nop;nop;nop
/* IE -> LE against hidden but not local var */
movq %fs:0, %rdx
nop;nop
addq sh6@gottpoff(%rip), %rdx
nop;nop;nop;nop
/* direct %fs access IE -> LE against hidden but not local var */
movq sh8@gottpoff(%rip), %rdx
nop;nop
movq %fs:(%rdx), %rax
nop;nop;nop;nop
/* LE, global var defined in exec */
movq %fs:0, %rax
nop;nop
leaq sg2@tpoff(%rax), %rdx
nop;nop;nop;nop
/* LE, local var, non-canonical sequence */
movq $2+bl2@tpoff, %r9
nop;nop
movq %fs:0, %rdx
nop;nop
addq %r9, %rdx
nop;nop;nop;nop
/* LE, hidden var defined in exec, non-canonical sequence */
movq %fs:0, %rdx
nop;nop
addq $sh2@tpoff+1, %rdx
nop;nop;nop;nop
/* Direct %fs access */
/* LE, global var defined in exec */
movq %fs:sg3@tpoff, %rax
nop;nop;nop;nop
/* LE, local var */
movq %fs:bl3@tpoff+3, %r10
nop;nop;nop;nop
/* LE, hidden var defined in exec */
movq %fs:1+sh3@tpoff, %rdx
nop;nop;nop;nop
leave
ret
|