add uncan poc

pocs/cpus/reptar/minimized/README.md

@@ -12,5 +12,6 @@ You can build them all simply by running `make`. Building the code requires `nas
 - **reptar.loopless.elf.asm**: This is an easier to modify reproducer that will also trigger the bug somewhat reliably but also allows to modify the instructions executed before and after. Note the registers that the program uses at the top.
 - **reptar.loop.elf.asm**: This is a more documented reproducer that explains what happens when the bug triggers and which instructions execute and which don't. Running the program on GDB should allow for quick debugging.
 - **reptar.vdso.bin.asm**: This is an experiment where we map ourselves just before the VDSO (you must disable ASLR first and adjust the addresses) and then make the "wrong RIP" point to the VDSO address of the time() function. As a result, the current time is stored in the address pointed to by RAX, which is then clflushed so it triggers a segfault to the current time. If we had corrupted the uop$ then we would instead expect a crash, so it appears that a long jump to the VDSO doesn't corrupt the uop$. To test try: `taskset -c 7 gdb ./reptar.vdso.bin  -ex r -ex 'python import datetime;print(datetime.datetime.utcfromtimestamp(gdb.parse_and_eval("*$rdi")))' -ex 'p $rsp' -ex q` - if the uop$ was not corrupted, you should see the current date/time. If it was, we would expect a segfault when writing to `0x42` at the poisoned address.
+- **reptar.uncan.bin.asm**: This is an experiment where we map ourselves at the end of the canonical address space for x86_64 (needs ASLR to be enabled) and then runs for as long as it can before it innevitably faults to see how far it can get into invalid address space. Error should be something like: `general protection fault ip:8000000019f5 error:0` with the last 4 bytes varying depending on how many iterations it did.
 - **reptar.mce.elf.asm**: Trigger this with `./log_mce.sh` and adjust the cpu 15/7 so they are siblings. This code will trigger an MCE on some affected CPUs and log the details. Look at `mce.txt` for the expected MCE errors. If no MCE is visible, define `MCE_INSTRUCTION='rep movsb'` as that works instead on some CPUs.
 - **reptar.bootmce.bin.asm**: Same as mce, but instead intended to be ran from a VM using KVM. `qemu-system-x86_64 --enable-kvm -fda reptar.bootmce.bin`.

pocs/cpus/reptar/minimized/reptar.uncan.bin.asm

@@ -0,0 +1,35 @@
+%define TINY_ELF_BASE_ADDRESS 0x7fffffffe000
+%macro TINY_ELF_PAYLOAD 0
+_start:
+    lea rax, [rsp - 0x1000]
+    mov r15, .skip_reptar_alias
+    jmp r15
+    align 16
+    .loop_for_every_iteration:
+    .loop_only_on_bug:
+        clflush [rax]
+        clflush [rax+64]
+        mov rsi, rax
+        mov rdi, rax
+        mov cl, 1
+        align 16
+        inc rbp
+        clflush [rax]
+        clflush [rax+1]
+        .reptar:
+            rep
+            db 0x44; rex.r
+            movsb
+        .after_reptar:
+            pause
+            times 64 nop
+            jmp r15
+        .skip_reptar_alias:
+            inc rdx
+            jmp .loop_for_every_iteration
+        .end_of_program:
+            int3
+            int3
+%endmacro
+
+%include "third_party/tiny_elf.asm"