Created
January 3, 2022 10:25
-
-
Save jakobrs/270243dc06bd33dccbd95e472477fea6 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| use std::error::Error; | |
| use libc::c_void; | |
| fn main() -> Result<(), Box<dyn Error>> { | |
| show_maps()?; | |
| let allocation = unsafe { allocate_cursed_ringbuffer(1) }; | |
| println!("{:p}", allocation); | |
| show_maps()?; | |
| unsafe { | |
| // dont do this | |
| let allocation_array: &mut [u128; 0x200] = &mut *(allocation as *mut _); | |
| println!("Contents of *entire* array: {:?}", allocation_array); | |
| allocation_array[0] = 0x100000000000004000000000; | |
| // UB, probably | |
| println!("Contents of *entire* array (again): {:?}", allocation_array); | |
| println!("array[0x100]: {:?}", allocation_array[0x100]); | |
| } | |
| Ok(()) | |
| } | |
| fn show_maps() -> std::io::Result<()> { | |
| println!("{}", std::fs::read_to_string("/proc/self/maps")?); | |
| Ok(()) | |
| } | |
| /// # Safety | |
| /// | |
| /// It's literally got "cursed" in it's name, of course it's unsafe | |
| pub unsafe fn allocate_cursed_ringbuffer(page_count: usize) -> *mut c_void { | |
| let page_size = 0x1000; // Probably | |
| let allocation = libc::mmap( | |
| std::ptr::null_mut(), | |
| 2 * page_count * page_size, | |
| libc::PROT_READ | libc::PROT_WRITE, | |
| libc::MAP_SHARED | libc::MAP_ANONYMOUS, | |
| 0, | |
| 0, | |
| ); | |
| // evil self-overwriting mremap call | |
| libc::mremap( | |
| allocation, | |
| 0, | |
| page_count * page_size, | |
| libc::MREMAP_FIXED | libc::MREMAP_MAYMOVE, | |
| allocation.add(page_count * page_size), | |
| ); | |
| allocation | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment