There are several places, where unsigned x30 (LR) is stored in memory, being vulnerable for substitution.
-
crt/aarch64/crtn.s and crt/aarch64/crti.s - load/store or LR in context of .init and .fini (not to be messed up with .init_array and .fini_array)
-
src/signal/aarch64/sigsetjmp.s - store/load of unsigned LR in prologue/epilogue
-
src/setjmp/aarch64/setjmp.s - store unsigned LR to jump context structure
-
src/setjmp/aarch64/longjmp.s - restore unsigned LR from jump context structure
There are several places, where unsigned x30 (LR) is stored in memory, being vulnerable for substitution.
crt/aarch64/crtn.s and crt/aarch64/crti.s - load/store or LR in context of
.initand.fini(not to be messed up with.init_arrayand.fini_array)src/signal/aarch64/sigsetjmp.s - store/load of unsigned LR in prologue/epilogue
src/setjmp/aarch64/setjmp.s - store unsigned LR to jump context structure
src/setjmp/aarch64/longjmp.s - restore unsigned LR from jump context structure