1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
#include <syscall-nr.h>
#include <stdio.h>
#include <stdint.h>
#include "tests/lib.h"
#include "tests/main.h"
/**
* From threads/vaddr.h:
*/
#define BITMASK(SHIFT, CNT) (((1ul << (CNT)) - 1) << (SHIFT))
#define PGSHIFT 0 /* Index of first offset bit. */
#define PGBITS 12 /* Number of offset bits. */
#define PGSIZE (1 << PGBITS) /* Bytes in a page. */
#define PGMASK BITMASK(PGSHIFT, PGBITS) /* Page offset bits (0:12). */
static inline void *pg_round_up (const void *va) {
return (void *) (((uintptr_t) va + PGSIZE - 1) & ~PGMASK);
}
/**
* External symbol which address is the first address after all data in the BSS segment.
*/
extern int _end_bss;
void test_main(void)
{
// Get the addres of the first unmapped page in the system.
unsigned page = (unsigned)pg_round_up(&_end_bss);
// Reserve space for 2 parameters.
unsigned base = page - sizeof(int) * 2;
// Call write() with space for 4 parameters (should be fine).
asm volatile (
"movl %%esp, %%edi;"
"movl %0, %%esp;" // Set stack pointer to right below page boundary.
"movl %1, (%%esp);" // Try to call SYS_CLOSE
"movl $8, 4(%%esp);" // Close fileno #8
"int $0x30;"
"movl %%edi, %%esp;" // Restore esp.
:
: "r" (base),
"i" (SYS_CLOSE)
: "%esp", "%eax", "%edi");
write(STDOUT_FILENO, "OK\n", 3);
// Reserve space for 1 parameter (open requires 2).
base = page - sizeof(int) * 1;
// Call write() with space for 3 parameters (the kernel should kill us for doing this).
asm volatile (
"movl %%esp, %%edi;"
"movl %0, %%esp;" // Set stack pointer to right below page boundary.
"movl %1, (%%esp);" // Try to call SYS_CLOSE
// "movl $8, 4(%%esp);" // Close fileno #8
"int $0x30;"
"movl %%edi, %%esp;" // Restore esp in case we do not crash (as we should).
:
: "r" (base),
"i" (SYS_CLOSE)
: "%esp", "%eax", "%edi");
fail("should have died.");
}
|
