1

Why does this not fail? I mean, if I compile and execute the following code, I get

mmap 4KB as readable/writeable, but not executable. write some code there. and call there. this should fail! but does not? thats weird!

I expected I had to use syscall sys_mprotect to mark some memory to be executable, but this works, even if it should not?

format elf64 executable use64 entry start macro echo message { mov rdx, message#.size lea rsi, [ message ] mov rdi, 1 mov rax, 1 syscall } struc db [ data ] { common . db data .size = $ - . } segment executable start: echo msg0 mov r10, 0x22 ;MMAP_Private | MMAP_Anonymous mov rdx, 0x03 ;readable | writeable mov rsi, 4096 xor rdi, rdi mov rax, 9 syscall mov qword [ buffer ], rax echo msg1 mov rcx, stub.size mov rdi, qword [ buffer ] lea rsi, [ stub ] rep movsb echo msg2 mov rdx, msg3.size lea rsi, [ msg3 ] mov rdi, 1 mov rax, 1 call qword [ buffer ] echo msg4 exit: xor rdi, rdi mov rax, 60 syscall segment readable writeable stub: syscall ret stub.size = $ - stub msg0 db 'mmap 4KB as readable/writeable, but not executable.', 10, 0 msg1 db 'write some code there.', 10, 0 msg2 db 'and call there. this should fail!', 10, 0 msg3 db 'but does not?', 10, 0 msg4 db 'thats weird!', 10, 0 buffer rq 1

So the actual question is: How can I get this to fail? I expected, that Linux uses the NX-bit for such memory and my PC, I checked it with

grep ^flags /proc/cpuinfo | head -n1 | egrep --color=auto ' (pae|nx) '

and also checked it in the BIOS, allows such kind of memory protection.

Improve this question
11
  • How do you use fasm's debug-symbol output with gdb? I tried fasm -s nx-test.debug nx-test.fasm, but when I tried symbol-file nx-test.debug in gdb, it said "can't read symbols: File format not recognized". (I don't know FASM at all, just NASM and GNU. (and some MASM syntax)). Commented Jun 5, 2016 at 17:57
  • Had to use readelf -a to get the address of _start to set a breakpoint :/ Commented Jun 5, 2016 at 18:04
  • just compile it with fasm file-name.fasm, make it executable with chmod +x file-name and execute it with ./file-name. the symbols-file is fasm-specific and not really useful in this context. Commented Jun 5, 2016 at 18:05
  • I did that, of course. It's just annoying not to be able to do break _start. And gdb has a few other inconveniences when it doesn't have a "function name" to associate with an address. Commented Jun 5, 2016 at 18:16
  • 2
    I found this duplicate: stackoverflow.com/questions/32730643/…. Apparently this is the standard behaviour. Probably too many programs that JIT some code broke when PROT_EXEC wasn't implied, so it's the default. That's probably configurable (at compile-time if not at run-time). I have to head out now for Ultimate (Frisbee), but I'll have another look when I get back. Commented Jun 5, 2016 at 18:25
Load 3 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.