1 /* 2 * Copyright (c) 2018 Todd Mortimer <mortimer@openbsd.org> 3 * 4 * Permission to use, copy, modify, and distribute this software for any 5 * purpose with or without fee is hereby granted, provided that the above 6 * copyright notice and this permission notice appear in all copies. 7 * 8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15 */ 16 17 #include <stdio.h> 18 #include <stdlib.h> 19 #include <stdint.h> 20 #include <unistd.h> 21 #include <sys/mman.h> 22 23 #include "../pivot.h" 24 25 static size_t *realstack; 26 static char *scan; 27 static size_t scansize = UINT16_MAX; 28 29 /* scan some memory crossing a page boundary */ 30 size_t dowork() { 31 size_t b = 0; 32 size_t i; 33 for (i = 0; i < scansize; ++i) 34 b += *scan++; 35 36 // We should be killed before we get here 37 pivot(realstack); 38 return b; 39 } 40 41 void doexit() { 42 _exit(0); 43 } 44 45 int main() { 46 47 /* allocate some memory to scan */ 48 scan = mmap(NULL, scansize, PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); 49 50 /* set up a rop chain on the real stack for syscalls */ 51 size_t stack[10]; 52 stack[0] = (size_t)doexit; 53 realstack = stack; 54 55 /* set up a basic alt stack on the heap that does some work */ 56 size_t *newstack = calloc(10, sizeof(size_t)); 57 printf("non-MAP_STACK stack at %p\n", newstack); 58 newstack[0] = (size_t)dowork; 59 pivot(newstack); 60 return 0; 61 } 62