1 /*
2 * Copyright (c) 2018 Todd Mortimer <mortimer@openbsd.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17 #include <stdio.h>
18 #include <stdlib.h>
19 #include <stdint.h>
20 #include <unistd.h>
21 #include <sys/mman.h>
22
23 #include "../pivot.h"
24
25 static size_t *realstack;
26 static char *scan;
27 static size_t scansize = UINT16_MAX;
28
29 /* scan some memory crossing a page boundary */
dowork()30 size_t dowork() {
31 size_t b = 0;
32 size_t i;
33 for (i = 0; i < scansize; ++i)
34 b += *scan++;
35
36 // We should be killed before we get here
37 pivot(realstack);
38 return b;
39 }
40
doexit()41 void doexit() {
42 _exit(0);
43 }
44
main()45 int main() {
46
47 /* allocate some memory to scan */
48 scan = mmap(NULL, scansize, PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0);
49
50 /* set up a rop chain on the real stack for syscalls */
51 size_t stack[10];
52 stack[0] = (size_t)doexit;
53 realstack = stack;
54
55 /* set up a basic alt stack on the heap that does some work */
56 size_t *newstack = calloc(10, sizeof(size_t));
57 printf("non-MAP_STACK stack at %p\n", newstack);
58 newstack[0] = (size_t)dowork;
59 pivot(newstack);
60 return 0;
61 }
62