mmap区域上的memset/memcpy失败 [英] memset/memcpy on mmap region fails

问题描述

我正在尝试从另一个程序中加载一个静态链接程序并执行它.我的步骤是:

I'm trying to load a statically linked program from another one and execute it. My steps are:

• 解析ELF
• 从程序头中解析段
• 对于每个PT_LOAD
• 加载
• 跳转到起始地址

如果elf_bytes是映射文件ELF文件，则加载PT_LOAD段为load(&p, elf_bytes + p.p_offset).

If elf_bytes is the mmap'ed ELF file, loading a PT_LOAD segment is load(&p, elf_bytes + p.p_offset).

加载功能:

int load(const Elf64_Phdr *phdr, const void *elf_bytes_for_phdr) {
    fprintf(stderr, "loading phdr of type %x from 0x%x to +=%zu bytes\n", phdr->p_type, phdr->p_vaddr, phdr->p_memsz);
    const size_t pagesize = getpagesize();
    const size_t unaligned_bytes = phdr->p_vaddr % pagesize;

    void *base_addr = phdr->p_vaddr - unaligned_bytes;
    size_t total_bytes = phdr->p_memsz + unaligned_bytes;

    void *region = mmap(
            base_addr,
            total_bytes,
            phdr->p_flags,
            MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS,
            0, 0
    );
    if (region != MAP_FAILED) {
        memset(region, 0, unaligned_bytes);
        // return memcpy(region + unaligned_bytes, elf_bytes_for_phdr, phdr->p_filesz) == region + unaligned_bytes;
        return memset(region + unaligned_bytes, /*elf_bytes_for_phdr*/0, 1) == region + unaligned_bytes;
    }
    return 1;
}

memset和memcpy均失败；内核在地址0x400000上发送了SIGSEGV，恰好是region. 那里什么都没有:

Both memset and memcpy fail; the kernel sends a SIGSEGV at address 0x400000, which happens to be exactly region. There is nothing there:

gdb$ shell pmap 10751
00007ff000000000      8K r-x-- ld_simple_loader
00007ff000201000      4K r---- ld_simple_loader
00007ff000202000      4K rw--- ld_simple_loader
00007ffff79e4000   1948K r-x-- libc-2.27.so
00007ffff7bcb000   2048K ----- libc-2.27.so
00007ffff7dcb000     16K r---- libc-2.27.so
00007ffff7dcf000      8K rw--- libc-2.27.so
00007ffff7dd1000     16K rw---   [ anon ]
00007ffff7dd5000    156K r-x-- ld-2.27.so
00007ffff7fdc000      8K rw---   [ anon ]
00007ffff7ff7000     12K r----   [ anon ]
00007ffff7ffa000      8K r-x--   [ anon ]
00007ffff7ffc000      4K r---- ld-2.27.so
00007ffff7ffd000      4K rw--- ld-2.27.so
00007ffff7ffe000      4K rw---   [ anon ]
00007ffffffde000    132K rw---   [ stack ]
ffffffffff600000      4K r-x--   [ anon ]
 total             4384K

因为加载程序从一个很高的地址开始(实际上是为了避免此问题).通过与-Wl,-Ttext-segment=00007ff000000000链接.

because the loader starts at a very high address (to avoid this issue, actually). This by linking with -Wl,-Ttext-segment=00007ff000000000.

(我还尝试过先对该区域进行映射.)

(I also tried munmap'ing the region first.)

推荐答案

void *region = mmap(
        base_addr,
        total_bytes,
        phdr->p_flags,
        MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS,
        0, 0
);

您通常mmap 的第一段包含.text，并且具有R-X(但没有 write )权限.

The first segment you mmap usually covers .text and has R-X (but no write) permissions.

没有.p_flags中的 write 权限，尝试(自然)写入该内存失败.

Without the write permission in .p_flags, attempts to write to that memory (naturally) fail.

您可能想改用phdr->p_flags | PROT_WRITE.

当心:某些安全策略(例如SELinux)不允许可写和可执行的映射.在这样的系统上，您需要使用PROT_WRITE映射内存，适当复制数据，然后使用所需的保护来复制mprotect.

Beware: certain security policies (such as SELinux) disallow writeable and executable mappings. On such a system, you would need to map the memory with PROT_WRITE, copy data as appropriate, and then mprotect with desired protections.

这篇关于mmap区域上的memset/memcpy失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！