I wrote simple program to estimate size of problem. Yes, I know about CFI but it seems that even on kernel 5.11 on fresh Ubuntu this mechanism is not implemented and indirect calls looks like:
mov rax, cs:XXX call __x86_indirect_thunk_rax
jmp rax
First approach is just to scan .data section - you can do this running
./lkmem path-to-unpacked-kernel path-to-System.mapSome results:
- arm64 5.11.0: 9893
- x64 5.8-53: 10698
- x64 5.11.0: 13414
- x64 4.18: 16224
Ok, how about not yet inited pointers (or pointers in .bss section)? We need use disassembler - just disasm all functions in .text and find indirect calls and calls to __x86_indirect_thunk_XXX. Results (with -d option):
- x64 4.18: +42
- x64 5.8-53: +52
- x64 5.11.0: +45
and with .bss section (option -b):
- x64 4.18: +99
- x64 5.8-53: +120
- x64 5.11.0: +109