为什么这不会失败? 我的意思是,如果我编译并执行以下代码,我会得到
mmap 4KB as readable/writeable, but not executable.
write some code there.
and call there. this should fail!
but does not?
thats weird!
我希望我必须使用syscall sys_mprotect来标记某些内存是可执行的,但是这样可行,即使它不应该?
format elf64 executable
use64
entry start
macro echo message
{
mov rdx, message#.size
lea rsi, [ message ]
mov rdi, 1
mov rax, 1
syscall
}
struc db [ data ]
{
common
. db data
.size = $ - .
}
segment executable
start:
echo msg0
mov r10, 0x22 ;MMAP_Private | MMAP_Anonymous
mov rdx, 0x03 ;readable | writeable
mov rsi, 4096
xor rdi, rdi
mov rax, 9
syscall
mov qword [ buffer ], rax
echo msg1
mov rcx, stub.size
mov rdi, qword [ buffer ]
lea rsi, [ stub ]
rep movsb
echo msg2
mov rdx, msg3.size
lea rsi, [ msg3 ]
mov rdi, 1
mov rax, 1
call qword [ buffer ]
echo msg4
exit:
xor rdi, rdi
mov rax, 60
syscall
segment readable writeable
stub:
syscall
ret
stub.size = $ - stub
msg0 db 'mmap 4KB as readable/writeable, but not executable.', 10, 0
msg1 db 'write some code there.', 10, 0
msg2 db 'and call there. this should fail!', 10, 0
msg3 db 'but does not?', 10, 0
msg4 db 'thats weird!', 10, 0
buffer rq 1
所以实际问题是:我怎么能让它失败?我曾预料到,Linux使用NX-bit作为这样的内存和我的PC,我用
检查了它grep ^flags /proc/cpuinfo | head -n1 | egrep --color=auto ' (pae|nx) '
并在BIOS中检查它,允许这种内存保护。