flat assembler
Message board for the users of flat assembler.

Index > Linux > Execute code in data segment

Author
Thread Post new topic Reply to topic
FlierMate



Joined: 21 Jan 2021
Posts: 219
FlierMate 30 Dec 2021, 09:51
This program prints "Hello world!" twice.

Is this the intended behavior? Because I set the second segment as "executable" also.
(Or else I will likely get "Segmentation fault")

So I think it is quite dangerous to set data segment as "executable" accidentally?

Code:
format ELF executable 3
entry start

segment readable executable

start:

        mov     eax,4
        mov     ebx,1
        mov     ecx,msg
        mov     edx,msg_size
        int     0x80

segment readable writeable executable

        mov     eax,4
        mov     ebx,1
        mov     ecx,msg
        mov     edx,msg_size
        int     0x80

        mov     eax,1
        xor     ebx,ebx
        int     0x80

msg db 'Hello world!',0xA
msg_size = $-msg
    
Post 30 Dec 2021, 09:51
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 30 Dec 2021, 13:08
There isn't really any precise definition of data segment. You can just set the access permissions as required.

For the code example above there is no need for the writeable attribute since you aren't writing anything.

But do note that where there are changes in the segment you should probably put a jmp instruction and not rely upon there being implied nops, or no gap, in the memory layout.
Post 30 Dec 2021, 13:08
View user's profile Send private message Visit poster's website Reply with quote
FlierMate



Joined: 21 Jan 2021
Posts: 219
FlierMate 30 Dec 2021, 13:24
Thank you for the nice explanation @revolution.

ELF 64-bit version also the same, the code execution can cross multiple segments (if all set to "readable" and "executable").

I think this is quite a loose standard, if compared to PE binary file format. I was not able to reproduce this behavior with code section and data section of a PE file.

Currently I believe there is no gap in between segments, in the memory layout. But it generates multiple program headers for each segment.
Post 30 Dec 2021, 13:24
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 30 Dec 2021, 13:37
The memory layout depends upon the loader your OS uses. For my system the loader always puts each segment in a new 4kB memory page. It has to do this to allow for the new access permissions to be set correctly on each page.

If it was me I wouldn't like to rely upon undocumented behaviour of a random loader.
Post 30 Dec 2021, 13:37
View user's profile Send private message Visit poster's website Reply with quote
FlierMate



Joined: 21 Jan 2021
Posts: 219
FlierMate 30 Dec 2021, 13:43
Alright it was my mistake, I mean no gap in file offset. I notice the 0x1000 (4096) alignment when running "readelf -a hello64"

Code:
Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  LOAD           0x0000000000000000 0x0000000000400000 0x0000000000400000
                 0x00000000000000c8 0x00000000000000c8  R E    0x1000
  LOAD           0x00000000000000c8 0x00000000004010c8 0x00000000004010c8
                 0x0000000000000035 0x0000000000000035  R E    0x1000
    


Learned something new from you.
Post 30 Dec 2021, 13:43
View user's profile Send private message Reply with quote
sylware



Joined: 23 Oct 2020
Posts: 462
Location: Marseille/France
sylware 07 Jan 2022, 16:36
https://repo.or.cz/fmap.git/blob/HEAD:/x86_64_sse2_x87/ld.simple

I did write that linker script to remove the "force down your throat" choices of the GNU binutils ld.
Post 07 Jan 2022, 16:36
View user's profile Send private message Reply with quote
FlierMate1



Joined: 31 May 2022
Posts: 118
FlierMate1 02 Jun 2022, 13:20
revolution wrote:
... For my system the loader always puts each segment in a new 4kB memory page. ...


Actually until today I still do not know why alignment like this is necessary. Is it for faster speed of execution?
Post 02 Jun 2022, 13:20
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 02 Jun 2022, 13:44
It's because of the paging. The minimum granularity is 4kB. That way you can have different permissions for each page. You can't do that on a byte-by-byte basis.
Post 02 Jun 2022, 13:44
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.