Replace the relative jmp (e9 rel32) with an absolute indirect jmp *0(%rip) (ff 25 00000000 + addr64). The rel32 displacement is sign-extended to 64 bits, so when the displacement between the thunk and isr_entry_point exceeds 2 GiB the sign extension corrupts the target address. Signed-off-by: Giacomo Mazzola --- lib/x86/isr.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/x86/isr.c b/lib/x86/isr.c index 53c0c2b3..4f474931 100644 --- a/lib/x86/isr.c +++ b/lib/x86/isr.c @@ -79,9 +79,11 @@ void handle_irq(unsigned vec, void (*func)(isr_regs_t *regs)) /* mov $func_high, %(rsp+4) */ *thunk++ = 0xc7; *thunk++ = 0x44; *thunk++ = 0x24; *thunk++ = 0x04; *(u32 *)thunk = (ulong)func >> 32; thunk += 4; - /* jmp isr_entry_point */ - *thunk ++ = 0xe9; - *(u32 *)thunk = (ulong)isr_entry_point - (ulong)(thunk + 4); + /* jmp *0(%rip): absolute indirect jump to isr_entry_point */ + *thunk++ = 0xff; *thunk++ = 0x25; + /* disp32 = 0: address follows */ + *(u32 *)thunk = 0; thunk += 4; + *(u64 *)thunk = (ulong)isr_entry_point; #else /* push $func */ *thunk++ = 0x68; -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597