Below is a part of an experiement. I am trying to mprotect the whole of the stack area but mprotect needs page aligned space. I can get the address of the current pointer using ucontext.uc_mcontext.gregs[REG_ESP] . But how do I get the page-size aligned address to use in the mprotect ? and How do I calculate the size of the stack ?
This being an experiment, I am also curious if it possible in the first place. If so, would it result in security issues ? . Thanks.
Jump to PostWell the first thing you'll have to do is determine page size on your computer. Then you could try something like below.
#include <stdio.h> #include <stdlib.h> #define MY_PAGE_SIZE 4096 int main(int argc, char** argv) { unsigned long addr = (unsigned long)&main & ((0UL - 1UL) ^ (MY_PAGE_SIZE …
Jump to PostActually I forgot...POSIX has a function called posix_memalign(), which will allocate your memory aligned on a memory border.
Well the first thing you'll have to do is determine page size on your computer. Then you could try something like below.
#include <stdio.h>
#include <stdlib.h>
#define MY_PAGE_SIZE 4096
int main(int argc, char** argv)
{
unsigned long addr = (unsigned long)&main & ((0UL - 1UL) ^ (MY_PAGE_SIZE - 1));
void * ptr = (void*)addr;/*ptr aligned on page*/
return (EXIT_SUCCESS);
}Actually I forgot...POSIX has a function called posix_memalign(), which will allocate your memory aligned on a memory border.
@gerard4143 : Thanks for the reply. I have doubt. In the code
unsigned long addr = (unsigned long)&main & ((0UL - 1UL) ^ (MY_PAGE_SIZE - 1));if main is address of one of the local variable, say 0xabcd8000, then the formula provided gives the address of the aligned-page( say 0xabcd6000 which is lesser than the address of the local variable). My question is, is this answer the address of the next page or the address of the current page ? I got this confusion because given that stack is growing down and the resultant address is lesser than the local variable address, I was rather expecting the resultant to be greater than the address of the local variable.
Hence If I am to copy the page containing the local variable (4K-pagesize), should I use the resultant or the (resultant-4096)address ? Am I making myself clear ?
If possible, could you explain how this piece of code works ?
@gerard4143 : Thanks for the reply. I have doubt. In the code
unsigned long addr = (unsigned long)&main & ((0UL - 1UL) ^ (MY_PAGE_SIZE - 1));if main is address of one of the local variable, say 0xabcd8000, then the formula provided gives the address of the aligned-page( say 0xabcd6000 which is lesser than the address of the local variable). My question is, is this answer the address of the next page or the address of the current page ? I got this confusion because given that stack is growing down and the resultant address is lesser than the local variable address, I was rather expecting the resultant to be greater than the address of the local variable.
Hence If I am to copy the page containing the local variable (4K-pagesize), should I use the resultant or the (resultant-4096)address ? Am I making myself clear ?
If possible, could you explain how this piece of code works ?
It returns the page where main resides...Actually it returns the page where main starts, I say this because main could span one or many pages.
I would forget the above code and concentrate on the posix_memalign() function.
@gerard4143 : All I am trying to do is mprotect the whole stack right from 0xffffffff till the current stack pointer.
So I was hoping,
1. Get the current stack pointer
2. Get the Page-aligned address for that stack pointer (which will not run into another page)
3. mprotect it from here till the beginning (0xffffffff)
I dont see how posix_memalign() could be of any help here. Could you please explain ? Thanks.
@gerard4143 : All I am trying to do is mprotect the whole stack right from 0xffffffff till the current stack pointer.
So I was hoping,
1. Get the current stack pointer
2. Get the Page-aligned address for that stack pointer (which will not run into another page)
3. mprotect it from here till the beginning (0xffffffff)I dont see how posix_memalign() could be of any help here. Could you please explain ? Thanks.
You have a few problems with your task or easier ways to accomplish your goals.
1. You can't access the upper range of addresses in a user process. Its reserved for the kernel and kernel mode.
2. You can change the attributes of the stack with the compiler....This is probably the easier way to accomplish your goal.
3. Your stack may indeed be larger than a page.
1. You can't access the upper range of addresses in a user process. Its reserved for the kernel and kernel mode.
I am confused here . I thought the kernel mappings go at the lower addresses . Thats the way I see in many references. In this particular site, http://etutorials.org/Networking/network+security+assessment/Chapter+13.+Application-Level+Risks/13.3+Network+Service+Vulnerabilities+and+Attacks/ , Fig 13.3 . I see that the stack segment starts from 0xFFFFFFFF . Thats how most site mention too. I also thought I can get the current stack pointer from the processor register ESP . Am I wrong ?
You can change the attributes of the stack with the compiler....This is probably the easier way to accomplish your goal.
How to achieve this in C. Any ideas ?
Your stack may indeed be larger than a pageIs the above to mean that even If I get the address of the current Stack pointer , I would not be successful in getting the current page address ? Isn't that contradict the ESP information provided in the picture ?
Thanks for your patience and replying all my queries.
Try these compiler settings.
gcc -O0 -fno-stack-protector -z execstack -o testit testit.cWe're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.