From c19581282d9e77e37eaa80e95e0584fc412ae582 Mon Sep 17 00:00:00 2001
From: 4lDO2 <4lDO2@protonmail.com>
Date: Mon, 15 Feb 2021 20:02:35 +0100
Subject: [PATCH 1/2] Use the correct add instruction when popping CS.

---
 src/arch/x86_64/interrupt/syscall.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/arch/x86_64/interrupt/syscall.rs b/src/arch/x86_64/interrupt/syscall.rs
index 0b0c514..2ea73c4 100644
--- a/src/arch/x86_64/interrupt/syscall.rs
+++ b/src/arch/x86_64/interrupt/syscall.rs
@@ -112,7 +112,7 @@ function!(syscall_instruction => {
 
         // Otherwise, continue with the fast sysretq.
 
-        sub rsp, 8              // Pop fake userspace CS
+        add rsp, 8              // Pop fake userspace CS
         pop r11                 // Pop rflags
         pop QWORD PTR gs:[0x70] // Pop userspace stack pointer
         mov rsp, gs:[0x70]      // Restore userspace stack pointer

From a4b3af34a5876938fde5f10b2761567f12ffa0f5 Mon Sep 17 00:00:00 2001
From: 4lDO2 <4lDO2@protonmail.com>
Date: Mon, 15 Feb 2021 20:05:00 +0100
Subject: [PATCH 2/2] Use correct jump instruction.

---
 src/arch/x86_64/interrupt/syscall.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/arch/x86_64/interrupt/syscall.rs b/src/arch/x86_64/interrupt/syscall.rs
index 2ea73c4..016cde1 100644
--- a/src/arch/x86_64/interrupt/syscall.rs
+++ b/src/arch/x86_64/interrupt/syscall.rs
@@ -108,7 +108,7 @@ function!(syscall_instruction => {
 
         // If ZF was set, i.e. the address was invalid higher-half, so jump to the slower iretq and
         // handle the error without being able to execute attacker-controlled code!
-        jmp 1f
+        jnz 1f
 
         // Otherwise, continue with the fast sysretq.