@@ -500,8 +500,8 @@ remote_code_ptr Monkeypatcher::get_jump_stub_exit_breakpoint(remote_code_ptr ip,
500500 --it;
501501 patched_syscall *ps = &syscall_stub_list[it->second ];
502502 auto bp = it->first + ps->size - ps->safe_suffix ;
503- if (pp == bp - 4 || pp == bp - 8 ) {
504- return remote_code_ptr ((it->first + ps->size - 4 ).as_int ());
503+ if (pp == bp - 4 || pp == bp - 8 || pp == bp - 12 ) {
504+ return remote_code_ptr ((it->first + ps->size - 12 ).as_int ());
505505 }
506506 return nullptr ;
507507}
@@ -717,13 +717,13 @@ bool patch_syscall_with_hook_arch<ARM64Arch>(Monkeypatcher& patcher,
717717 2 * 4 ,
718718 /* *
719719 * safe_suffix:
720- * We've returned from syscallbuf and continue execution
721- * won't hit syscallbuf breakpoint
722- * (this also include the 8 bytes that stores the return address)
723- * Note that stack restore instruction also belongs to the syscallbuf return path
724- * However, since it is still using the scratch memory,
725- * it doesn't belong to the safe area.
726- * The caller needs to have special handling for that instruction .
720+ * The safe suffix are all instructions that are no longer using syscallbuf
721+ * private stack memory. On aarch64, that is the bail path svc instruction
722+ * and the final jump instruction (including the 8 byte return address).
723+ * See the detailed extended jump patch assembly above for details.
724+ * Note that the stack restore instructions also occurr on the syscallbuf
725+ * return path, but are not considered part of the safe suffix, since they
726+ * still rely on the syscallbuf stack memory to function properly .
727727 */
728728 2 * 4 + 8
729729 });
0 commit comments