0

I am writing a char device that takes as input with ioctl a function pointer and a buffer pointer.
I want to modify the user machine context so that back in user mode, that function is executed with a new stack pointed by that buffer pointer.
However if the program is run with ASLR activated a segmentation fault terminates the program, otherwise there are no problems.
This is the interesting part of the code inside the ioctl :

        struct pt_regs* regs = task_pt_regs(current);
        regs->ip = a->func;// func is a function implemented in user space
        regs->sp = a->stack;// stack is the buffer allocated in user space with malloc

My question is why this happens: ASLR changes the virtual address space of the program every time it is executed, but how can this randomization create problem with the subsequent reassignment of the stack pointer?

The kernel version is 4.14.68

Angelo
  • 175
  • 1
  • 13
  • Where/when is it crashing? Immediately when returning from kernelspace after this change? Or later, like when the function returns? – R.. GitHub STOP HELPING ICE Sep 08 '18 at 00:24
  • Immediately when returning from kernelspace after this change – Angelo Sep 08 '18 at 00:27
  • How was the stack allocated? Does `a->stack` point to the lower end of it or the upper end? – R.. GitHub STOP HELPING ICE Sep 08 '18 at 01:26
  • a->stack is allocated with malloc() and to make a simple test I have used malloc(100,sizeof(int)) so it points to the beginning of the buffer. – Angelo Sep 08 '18 at 01:29
  • 1
    Then of course it's not going to work, because (on basically all real-world architectures) the stack grows downward. As soon as the function is entered and starts pushing things onto the stack, it's going to run off the bottom and clobber other memory or hit an unmapped page and fault. – R.. GitHub STOP HELPING ICE Sep 08 '18 at 01:33
  • 1
    Also, `100*sizeof(int)` is way too small for a stack. A minimum viable amount is about 2k, and if it's possible a signal will be delivered while running on this stack it needs to be a lot larger. – R.. GitHub STOP HELPING ICE Sep 08 '18 at 01:34
  • Yes it is right but if I assign : `a->stack = malloc(4000,sixeof(int))+4000` there is still a segmentation fault with ASLR enabled and everything is fine if disabled. Now I have another question that is why it works with ASLR disabled but bad allocated stack! – Angelo Sep 08 '18 at 01:41
  • 1
    It doesn't "work with ASLR disabled". Memory happens to be laid out in a different way where it clobbers something else rather than hitting an invalid address and faulting. – R.. GitHub STOP HELPING ICE Sep 08 '18 at 02:19
  • 1
    `malloc(4000,sixeof(int))` is not valid C. I think you need to show the actual code. – R.. GitHub STOP HELPING ICE Sep 08 '18 at 02:21
  • you are right, I am sorry I have used calloc not malloc – Angelo Sep 08 '18 at 02:21

0 Answers0