Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aarch64 pwnlib.shellcraft.pushstr_array() casuses bus error #2284

Closed
elay108 opened this issue Sep 29, 2023 · 1 comment · Fixed by #2161
Closed

aarch64 pwnlib.shellcraft.pushstr_array() casuses bus error #2284

elay108 opened this issue Sep 29, 2023 · 1 comment · Fixed by #2161
Labels
backport-required bug

Comments

@elay108
Copy link

elay108 commented Sep 29, 2023

Hey,
The pwnlib.shellcraft.pushstr_array() causes stack misalignment when pushing pointes and causes a bus error when executed.

As seen here:

For AArch64, sp must be 16-byte aligned whenever it is used to access memory.
This is enforced by AArch64 hardware.

However, the code generated by pwnlib.shellcraft.pushstr_array() causes sp to be misaligned by 8.
Here's the output of the function:
carbon

The bug happens at line 14, and the bus error is thrown at line 19. Line 14 uses str register to memory with an exclamation mark, thus causing sp to be misaligned by 8 bytes when pushing the first pointer. At line 19, there's another usage of str register to memory to push the second pointer, when sp is misaligned, thus throwing a bus error. This should be fixed by not "pushing" the pointers to the stack, but rather allocating 16-byte aligned memory on the stack (decreasing sp), then writing the pointers without modifying sp, and then adding a null byte padding if necessary.
@Arusekk Arusekk linked a pull request Oct 1, 2023 that will close this issue
basic darwin support for shellcrafter #2161
Merged
@Arusekk Arusekk mentioned this issue Oct 1, 2023
Merged
@peace-maker
Copy link
Member

This seems like a duplicate of #2160

patryk4815 added a commit to patryk4815/pwntools that referenced this issue Jan 3, 2024
@patryk4815
fix aarch64: mov, pushstr, pushstr_array
15748d0 
fixes:
- Gallopsled#2160
- Gallopsled#2284
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backport-required bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

basic darwin support for shellcrafter patryk4815/pwntools
2 participants
@peace-maker @elay108