[PATCH] ntdll: Set rcx on exit from syscall dispatcher on x64.

[Paul Gofman]

On 12/1/21 19:29, Paul Gofman wrote:
>
>
>>                      "testl $0x3,%edx\n\t"           /* 
>> CONTEXT_CONTROL | CONTEXT_INTEGER */
>>                      "jnz 1f\n\t"
>>                      "movq 0x88(%rcx),%rsp\n\t"
>> -                   "jmpq *0x70(%rcx)\n"            /* frame->rip */
>> +                   "movq 0x70(%rcx),%rcx\n\t"      /* frame->rip */
>> +                   "jmpq *%rcx\n\t"
>>                      "1:\tleaq 0x70(%rcx),%rsp\n\t"
>>                      "testl $0x2,%edx\n\t"           /* 
>> CONTEXT_INTEGER */
>> -                   "jz 1f\n\t"
>> -                   "movq 0x00(%rcx),%rax\n\t"
>> +                   "jnz 1f\n\t"
>> +                   "movq (%rsp),%rcx\n\t"          /* frame->rip */
>> CONTEXT_CONTROL means we should restore the CS segment register as well.
>> Since SYSRET cannot restore CS, Windows would have to use plain IRETQ
>> instead of SYSRET.  In this case I suspect there should be no reason to
>> clobber RCX at all.
>>
>> Note that this claim is unconfirmed; I might need some testing.
>>
> Does my patch change anything in this regard? I hope it doesn't, if it 
> does that is an oversight. If there is something looking wrong with 
> how it works now fixing that should not go in the same patch. But I 
> think we currently restore CS (both before and after my patch) by 
> using iretq in case of CONTEXT_CONTROL, isn't that the case?
>
>
If you mean that rcx should not be set this way in case of 
CONTEXT_CONTROL, I think my test with NtSetContextThread plainly shows 
that it should?