1897fc685Smortimer /*
2897fc685Smortimer * Copyright (c) 2018 Todd Mortimer <mortimer@openbsd.org>
3897fc685Smortimer *
4897fc685Smortimer * Permission to use, copy, modify, and distribute this software for any
5897fc685Smortimer * purpose with or without fee is hereby granted, provided that the above
6897fc685Smortimer * copyright notice and this permission notice appear in all copies.
7897fc685Smortimer *
8897fc685Smortimer * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9897fc685Smortimer * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10897fc685Smortimer * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11897fc685Smortimer * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12897fc685Smortimer * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13897fc685Smortimer * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14897fc685Smortimer * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15897fc685Smortimer */
16897fc685Smortimer
17897fc685Smortimer #include <stdio.h>
18897fc685Smortimer #include <stdlib.h>
19897fc685Smortimer #include <stdint.h>
204627c47aSmortimer #include <unistd.h>
21dc88bc7fSmortimer #include <sys/mman.h>
22897fc685Smortimer
23897fc685Smortimer #include "../pivot.h"
24897fc685Smortimer
25897fc685Smortimer static size_t *realstack;
26897fc685Smortimer static char *scan;
27897fc685Smortimer static size_t scansize = UINT16_MAX;
28897fc685Smortimer
29897fc685Smortimer /* scan some memory crossing a page boundary */
dowork()30897fc685Smortimer size_t dowork() {
31897fc685Smortimer size_t b = 0;
32897fc685Smortimer size_t i;
33897fc685Smortimer for (i = 0; i < scansize; ++i)
34897fc685Smortimer b += *scan++;
354627c47aSmortimer
364627c47aSmortimer // We should be killed before we get here
374627c47aSmortimer pivot(realstack);
38897fc685Smortimer return b;
39897fc685Smortimer }
40897fc685Smortimer
doexit()41897fc685Smortimer void doexit() {
424627c47aSmortimer _exit(0);
43897fc685Smortimer }
44897fc685Smortimer
main()45897fc685Smortimer int main() {
46897fc685Smortimer
47897fc685Smortimer /* allocate some memory to scan */
48dc88bc7fSmortimer scan = mmap(NULL, scansize, PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0);
49897fc685Smortimer
50897fc685Smortimer /* set up a rop chain on the real stack for syscalls */
51897fc685Smortimer size_t stack[10];
52897fc685Smortimer stack[0] = (size_t)doexit;
53897fc685Smortimer realstack = stack;
54897fc685Smortimer
55897fc685Smortimer /* set up a basic alt stack on the heap that does some work */
56897fc685Smortimer size_t *newstack = calloc(10, sizeof(size_t));
57*802163a1Sderaadt printf("non-MAP_STACK stack at %p\n", newstack);
58897fc685Smortimer newstack[0] = (size_t)dowork;
59897fc685Smortimer pivot(newstack);
60897fc685Smortimer return 0;
61897fc685Smortimer }
62