Ok, that's close to what I was testing (one of the examples from the
crashme docs).
Yeah, by default, it won't do a mprotect(), so as far as I can tell,
you're always going to hit NX on a writable data page. I'm running with
the appended patch.
That said, I didn't actually *check* that the mprotect makes any
difference, and maybe you have one of the early EM64T chips that didn't
have NX support at all. Or maybe it's dodgy, and is actually the whole
*reason* for the page fault problem..
I don't have any P4's capable of 64-bit operation (nor do I really want
any ;)
Linus
---
diff --git a/crashme.c b/crashme.c
index 5e7e663..19a2fbb 100644
--- a/crashme.c
+++ b/crashme.c
@@ -1,3 +1,5 @@
+#define pyr
+#define PAGSIZ 4096
/* crashme: Create a string of random bytes and then jump to it.
crashme [+]<nbytes>[.inc] <srand> <ntrys> [nsub] [verboseness] */
@@ -143,7 +145,6 @@ a script.
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/param.h>
-#include <sys/vmmac.h>
#define strchr index
#endif
@@ -215,7 +216,7 @@ unsigned char *bad_malloc(n)
{unsigned char *data;
data = (unsigned char *) malloc(n);
#ifdef pyr
- if (mprotect(((int)data/PAGSIZ)*PAGSIZ, (n/PAGSIZ+1)*PAGSIZ,
+ if (mprotect(((long)data/PAGSIZ)*PAGSIZ, (n/PAGSIZ+1)*PAGSIZ,
PROT_READ|PROT_WRITE|PROT_EXEC))
perror("mprotect");
#endif
@@ -259,11 +260,8 @@ void my_signal(sig, func)
signal(sig, func);
#else
struct sigaction act;
+ memset(&act, 0, sizeof(act));
act.sa_handler = func;
- act.sa_mask = 0;
-#ifdef linux
- act.sa_restorer = 0;
-#endif /* linux */
act.sa_flags = SA_NOMASK;
#ifdef SA_RESTART
act.sa_flags |= SA_RESTART;
-
