01:33 imanho: I have a question regarding control codes in sass, are they solely _identified_ based on the address they are located? (so the SM interprets anything at 0x.. which is divisible by 32 as control codes?)
01:34 imanho: and so can we have a JM? (jump) instruction jump at an address which is _not_ a control code? (it would be weird because then say, what is the stall count for this instruction? the SM needs to read the control code coming before it to know how to schedule it)
01:38 imirkin: yes.
01:38 imirkin: it's based on alignment
01:38 imirkin: you can totally jump to a non-aligned address
01:38 imirkin: (i mean, obv has to be instruction-aligned)
01:39 imirkin: and yes, instructions are processed in blocks of 32 bytes
01:39 imirkin: i guess i'd have understood if they had a restriction that you couldn't jump to unaligned addresses, but they don't
05:36 imanho: "We assume that our attacker can trigger a
05:36 imanho: buffer overflow, which overwrites a function pointer. We also
05:36 imanho: assume that the attacker can control some register values
05:36 imanho: depending on the copy gadget used. " So this is implying that there is a way that I can put what I want in some register
05:37 imanho: I can redirect execution to a part of code which copies data into code pages, as in: [R16] <- [R12] , so if I can control R12 and R16 to be what I want them to be I can copy off 128 bits.
05:41 imanho: Are they implying that I just tweak the sass/ptx (just emit R12 <- 0xdeadbeef etc.)to set the registers as values I want? Because it doesn't seem it can be done via inline PTX asm
05:42 imanho: https://docs.nvidia.com/cuda/inline-ptx-assembly/index.html : doesnt talk about _specifying_ operands as the exact registers you want (i.e. %1 is not necessarily R1)
11:44 imanho: I added an extraneous "add.u64 %rd11, 0x0 , 0xbeef" to the .ptx, then compiled with "-O0" and still, the add gets killed off.