Calling SVC is not safe.

173210 commented 9 years ago

We have SVC function in C with attribute((naked)) and inline assembly.

int __attribute__((naked))
arm11_kernel_exploit_exec (int (*func)(void))
{
    __asm__ ("svc 8\t\n" // CreateThread syscall, corrupted, args not needed
             "bx lr\t\n");
}

int __attribute__((naked))
arm11_kernel_execute(int (*func)(void))
{
    __asm__ ("svc #0x7B\t\n"
             "bx lr\t\n");
}

But they are not safe because they can be inlined. If inlined, the arguments will be completely ignored! We don't have so many calls, so I suggest we remove those functions and write directly. For example:

__asm__("ldr a0, =%0\n"
    "svc #8\n",
    : "I"(arm11_kernel_exploit_exec));

gudenau commented 9 years ago

Or use volatile, that will make it assembly as-is.

173210 commented 9 years ago

The problem is not asm. Those functions are not inline-expanded because they don't have static suffix. But once they get inline-expanded, arguments will be completely ignored.

int __attribute__((naked))
arm11_kernel_execute(int (*func)(void)) // <- This is the problem.

shinyquagsire23 / bootstrap

Calling SVC is not safe. #7