|
@@ -6,7 +6,7 @@
|
|
|
|
|
|
|
|
static void print_usage_and_exit()
|
|
static void print_usage_and_exit()
|
|
|
{
|
|
{
|
|
|
- printf("usage: crash -[sdiamfMFTt]\n");
|
|
|
|
|
|
|
+ printf("usage: crash -[sdiamfMFTtSxyX]\n");
|
|
|
exit(0);
|
|
exit(0);
|
|
|
}
|
|
}
|
|
|
|
|
|
|
@@ -28,6 +28,7 @@ int main(int argc, char** argv)
|
|
|
SyscallFromWritableMemory,
|
|
SyscallFromWritableMemory,
|
|
|
WriteToFreedMemoryStillCachedByMalloc,
|
|
WriteToFreedMemoryStillCachedByMalloc,
|
|
|
ReadFromFreedMemoryStillCachedByMalloc,
|
|
ReadFromFreedMemoryStillCachedByMalloc,
|
|
|
|
|
+ ExecuteNonExecutableMemory,
|
|
|
};
|
|
};
|
|
|
Mode mode = SegmentationViolation;
|
|
Mode mode = SegmentationViolation;
|
|
|
|
|
|
|
@@ -62,6 +63,8 @@ int main(int argc, char** argv)
|
|
|
mode = ReadFromFreedMemoryStillCachedByMalloc;
|
|
mode = ReadFromFreedMemoryStillCachedByMalloc;
|
|
|
else if (String(argv[1]) == "-y")
|
|
else if (String(argv[1]) == "-y")
|
|
|
mode = WriteToFreedMemoryStillCachedByMalloc;
|
|
mode = WriteToFreedMemoryStillCachedByMalloc;
|
|
|
|
|
+ else if (String(argv[1]) == "-X")
|
|
|
|
|
+ mode = ExecuteNonExecutableMemory;
|
|
|
else
|
|
else
|
|
|
print_usage_and_exit();
|
|
print_usage_and_exit();
|
|
|
|
|
|
|
@@ -184,6 +187,18 @@ int main(int argc, char** argv)
|
|
|
ASSERT_NOT_REACHED();
|
|
ASSERT_NOT_REACHED();
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
+ if (mode == ExecuteNonExecutableMemory) {
|
|
|
|
|
+ auto* ptr = (u8*)mmap(nullptr, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
|
|
|
|
|
+ ASSERT(ptr != MAP_FAILED);
|
|
|
|
|
+
|
|
|
|
|
+ ptr[0] = 0xc3; // ret
|
|
|
|
|
+
|
|
|
|
|
+ typedef void* (*CrashyFunctionPtr)();
|
|
|
|
|
+ ((CrashyFunctionPtr)ptr)();
|
|
|
|
|
+
|
|
|
|
|
+ ASSERT_NOT_REACHED();
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
ASSERT_NOT_REACHED();
|
|
ASSERT_NOT_REACHED();
|
|
|
return 0;
|
|
return 0;
|
|
|
}
|
|
}
|
Andreas Kling