1 /* Force .data aligned to 4K, so that .got very likely gets at 2 0x5021a0 (0x60 bytes .tdata and 0x140 bytes .dynamic) */ 3 .data 4 .balign 4096 5 .section ".tdata", "awT", @progbits 6 .globl sg1, sg2, sg3, sg4, sg5, sg6, sg7, sg8 7 .globl sh1, sh2, sh3, sh4, sh5, sh6, sh7, sh8 8 .hidden sh1, sh2, sh3, sh4, sh5, sh6, sh7, sh8 9 sg1: .long 17 10 sg2: .long 18 11 sg3: .long 19 12 sg4: .long 20 13 sg5: .long 21 14 sg6: .long 22 15 sg7: .long 23 16 sg8: .long 24 17 sl1: .long 65 18 sl2: .long 66 19 sl3: .long 67 20 sl4: .long 68 21 sl5: .long 69 22 sl6: .long 70 23 sl7: .long 71 24 sl8: .long 72 25 sh1: .long 257 26 sh2: .long 258 27 sh3: .long 259 28 sh4: .long 260 29 sh5: .long 261 30 sh6: .long 262 31 sh7: .long 263 32 sh8: .long 264 33 /* Force .text aligned to 4K, so it very likely gets at 0x401000. */ 34 .text 35 .balign 4096 36 .globl fn2 37 .type fn2,@function 38 fn2: 39 pushq %rbp 40 movq %rsp, %rbp 41 42 /* GD -> IE because variable is not defined in executable */ 43 .byte 0x66 44 leaq sG1@tlsgd(%rip), %rdi 45 .word 0x6666 46 rex64 47 call __tls_get_addr@plt 48 nop;nop;nop;nop 49 50 /* GD -> IE because variable is not defined in executable where 51 the variable is referenced through IE too */ 52 .byte 0x66 53 leaq sG2@tlsgd(%rip), %rdi 54 .word 0x6666 55 rex64 56 call __tls_get_addr@plt 57 nop;nop;nop;nop 58 59 /* GD -> LE with global variable defined in executable */ 60 .byte 0x66 61 leaq sg1@tlsgd(%rip), %rdi 62 .word 0x6666 63 rex64 64 call __tls_get_addr@plt 65 nop;nop;nop;nop 66 67 /* GD -> LE with local variable defined in executable */ 68 .byte 0x66 69 leaq sl1@tlsgd(%rip), %rdi 70 .word 0x6666 71 rex64 72 call __tls_get_addr@plt 73 nop;nop;nop;nop 74 75 /* GD -> LE with hidden variable defined in executable */ 76 .byte 0x66 77 leaq sh1@tlsgd(%rip), %rdi 78 .word 0x6666 79 rex64 80 call __tls_get_addr@plt 81 nop;nop;nop;nop 82 83 /* LD -> LE */ 84 leaq sl1@tlsld(%rip), %rdi 85 call __tls_get_addr@plt 86 nop;nop 87 leaq 1+sl1@dtpoff(%rax), %rdx 88 nop;nop 89 leaq sl2@dtpoff+2(%rax), %r9 90 nop;nop;nop;nop 91 92 /* LD -> LE against hidden variables */ 93 leaq sh1@tlsld(%rip), %rdi 94 call __tls_get_addr@plt 95 nop;nop 96 leaq sh1@dtpoff(%rax), %rdx 97 nop;nop 98 leaq 3+sh2@dtpoff(%rax), %rcx 99 nop;nop;nop;nop 100 101 /* IE against global var */ 102 movq %fs:0, %r9 103 nop;nop 104 addq sG2@gottpoff(%rip), %r9 105 nop;nop;nop;nop 106 107 /* IE -> LE against global var defined in exec */ 108 movq %fs:0, %r10 109 nop;nop 110 addq sg1@gottpoff(%rip), %r10 111 nop;nop;nop;nop 112 113 /* IE -> LE against local var */ 114 movq %fs:0, %rax 115 nop;nop 116 addq sl1@gottpoff(%rip), %rax 117 nop;nop;nop;nop 118 119 /* IE -> LE against hidden var */ 120 movq %fs:0, %rcx 121 nop;nop 122 addq sh1@gottpoff(%rip), %rcx 123 nop;nop;nop;nop 124 125 /* Direct access through %fs */ 126 127 /* IE against global var */ 128 movq sG5@gottpoff(%rip), %rcx 129 nop;nop 130 movq %fs:(%rcx), %rdx 131 nop;nop;nop;nop 132 133 /* IE->LE against local var */ 134 movq sl5@gottpoff(%rip), %r11 135 nop;nop 136 movq %fs:(%r11), %r12 137 nop;nop;nop;nop 138 139 /* IE->LE against hidden var */ 140 movq sh5@gottpoff(%rip), %rdx 141 nop;nop 142 movq %fs:(%rdx), %rdx 143 nop;nop;nop;nop 144 145 leave 146 ret 147
