1210284Sjmallett /* Force .data aligned to 4K, so that .got very likely gets at 2210284Sjmallett 0x5021a0 (0x60 bytes .tdata and 0x140 bytes .dynamic) */ 3210284Sjmallett .data 4210284Sjmallett .balign 4096 5210284Sjmallett .section ".tdata", "awT", @progbits 6210284Sjmallett .globl sg1, sg2, sg3, sg4, sg5, sg6, sg7, sg8 7210284Sjmallett .globl sh1, sh2, sh3, sh4, sh5, sh6, sh7, sh8 8210284Sjmallett .hidden sh1, sh2, sh3, sh4, sh5, sh6, sh7, sh8 9210284Sjmallettsg1: .long 17 10210284Sjmallettsg2: .long 18 11210284Sjmallettsg3: .long 19 12210284Sjmallettsg4: .long 20 13210284Sjmallettsg5: .long 21 14210284Sjmallettsg6: .long 22 15210284Sjmallettsg7: .long 23 16210284Sjmallettsg8: .long 24 17210284Sjmallettsl1: .long 65 18210284Sjmallettsl2: .long 66 19210284Sjmallettsl3: .long 67 20210284Sjmallettsl4: .long 68 21210284Sjmallettsl5: .long 69 22210284Sjmallettsl6: .long 70 23210284Sjmallettsl7: .long 71 24210284Sjmallettsl8: .long 72 25210284Sjmallettsh1: .long 257 26210284Sjmallettsh2: .long 258 27210284Sjmallettsh3: .long 259 28210284Sjmallettsh4: .long 260 29210284Sjmallettsh5: .long 261 30210284Sjmallettsh6: .long 262 31210284Sjmallettsh7: .long 263 32210284Sjmallettsh8: .long 264 33210284Sjmallett /* Force .text aligned to 4K, so it very likely gets at 0x401000. */ 34210284Sjmallett .text 35210284Sjmallett .balign 4096 36210284Sjmallett .globl fn2 37210284Sjmallett .type fn2,@function 38210284Sjmallettfn2: 39210284Sjmallett pushq %rbp 40210284Sjmallett movq %rsp, %rbp 41210284Sjmallett 42210284Sjmallett /* GD -> IE because variable is not defined in executable */ 43210284Sjmallett .byte 0x66 44210284Sjmallett leaq sG1@tlsgd(%rip), %rdi 45210284Sjmallett .byte 0x66 46210284Sjmallett rex64 47210284Sjmallett call *__tls_get_addr@GOTPCREL(%rip) 48210284Sjmallett nop;nop;nop;nop 49210284Sjmallett 50210284Sjmallett /* GD -> IE because variable is not defined in executable where 51210284Sjmallett the variable is referenced through IE too */ 52210284Sjmallett .byte 0x66 53210284Sjmallett leaq sG2@tlsgd(%rip), %rdi 54210284Sjmallett .byte 0x66 55210284Sjmallett rex64 56210284Sjmallett call *__tls_get_addr@GOTPCREL(%rip) 57210284Sjmallett nop;nop;nop;nop 58210284Sjmallett 59210284Sjmallett /* GD -> LE with global variable defined in executable */ 60210284Sjmallett .byte 0x66 61210284Sjmallett leaq sg1@tlsgd(%rip), %rdi 62210284Sjmallett .byte 0x66 63210284Sjmallett rex64 64210284Sjmallett call *__tls_get_addr@GOTPCREL(%rip) 65210284Sjmallett nop;nop;nop;nop 66210284Sjmallett 67210284Sjmallett /* GD -> LE with local variable defined in executable */ 68210284Sjmallett .byte 0x66 69210284Sjmallett leaq sl1@tlsgd(%rip), %rdi 70210284Sjmallett .byte 0x66 71210284Sjmallett rex64 72210284Sjmallett call *__tls_get_addr@GOTPCREL(%rip) 73210284Sjmallett nop;nop;nop;nop 74210284Sjmallett 75210284Sjmallett /* GD -> LE with hidden variable defined in executable */ 76210284Sjmallett .byte 0x66 77210284Sjmallett leaq sh1@tlsgd(%rip), %rdi 78210284Sjmallett .byte 0x66 79210284Sjmallett rex64 80210284Sjmallett call *__tls_get_addr@GOTPCREL(%rip) 81210284Sjmallett nop;nop;nop;nop 82210284Sjmallett 83210284Sjmallett /* LD -> LE */ 84210284Sjmallett leaq sl1@tlsld(%rip), %rdi 85210284Sjmallett call *__tls_get_addr@GOTPCREL(%rip) 86210284Sjmallett nop;nop 87210284Sjmallett leaq 1+sl1@dtpoff(%rax), %rdx 88210284Sjmallett nop;nop 89210284Sjmallett leaq sl2@dtpoff+2(%rax), %r9 90210284Sjmallett nop;nop;nop;nop 91 92 /* LD -> LE against hidden variables */ 93 leaq sh1@tlsld(%rip), %rdi 94 call *__tls_get_addr@GOTPCREL(%rip) 95 nop;nop 96 leaq sh1@dtpoff(%rax), %rdx 97 nop;nop 98 leaq 3+sh2@dtpoff(%rax), %rcx 99 nop;nop;nop;nop 100 101 /* IE against global var */ 102 movq %fs:0, %r9 103 nop;nop 104 addq sG2@gottpoff(%rip), %r9 105 nop;nop;nop;nop 106 107 /* IE -> LE against global var defined in exec */ 108 movq %fs:0, %r10 109 nop;nop 110 addq sg1@gottpoff(%rip), %r10 111 nop;nop;nop;nop 112 113 /* IE -> LE against local var */ 114 movq %fs:0, %rax 115 nop;nop 116 addq sl1@gottpoff(%rip), %rax 117 nop;nop;nop;nop 118 119 /* IE -> LE against hidden var */ 120 movq %fs:0, %rcx 121 nop;nop 122 addq sh1@gottpoff(%rip), %rcx 123 nop;nop;nop;nop 124 125 /* Direct access through %fs */ 126 127 /* IE against global var */ 128 movq sG5@gottpoff(%rip), %rcx 129 nop;nop 130 movq %fs:(%rcx), %rdx 131 nop;nop;nop;nop 132 133 /* IE->LE against local var */ 134 movq sl5@gottpoff(%rip), %r11 135 nop;nop 136 movq %fs:(%r11), %r12 137 nop;nop;nop;nop 138 139 /* IE->LE against hidden var */ 140 movq sh5@gottpoff(%rip), %rdx 141 nop;nop 142 movq %fs:(%rdx), %rdx 143 nop;nop;nop;nop 144 145 leave 146 ret 147