Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>I have written the below assembly code to test XN bit support on ARM target.</p> <pre><code>.text .global _start _start: mov r0, #1 (output) add r1, pc, #20 (string) mov r2, #12 strlen(string)) mov r7, #4 (syscall number for write) svc 0x0 mov r0, #0 (output) mov r7, #1 (syscall number for exit) svc 0x0 .asciz "Hello world\n " </code></pre> <p>Generating machine from assembly:</p> <pre><code>arm-linux-gnueabi-gcc -c -o arm_hello.o arm_hello.s arm-linux-gnueabi-ld arm_hello.o -o arm_hello </code></pre> <p>Disassembly of section .text:</p> <pre><code>root@oss:shellcode_2# arm-linux-gnueabi-objdump -d arm_hello arm_hello : file format elf32-littlearm 00008054 &lt;_start&gt;: 8054: e3a00001 mov r0, #1 8058: e28f1014 add r1, pc, #20 805c: e3a0200c mov r2, #12 8060: e3a07004 mov r7, #4 8064: ef000000 svc 0x00000000 8068: e3a00000 mov r0, #0 806c: e3a07001 mov r7, #1 8070: ef000000 svc 0x00000000 8074: 6c6c6548 .word 0x6c6c6548 8078: 6f77206f .word 0x6f77206f 807c: 0a646c72 .word 0x0a646c72 8080: 00202020 .word 0x00202020 </code></pre> <p>Final Shell Code in C:</p> <pre><code>#include &lt;stdio.h&gt; #include &lt;string.h&gt; #include &lt;stdlib.h&gt; #include &lt;unistd.h&gt; #include &lt;asm/unistd.h&gt; typedef void (*fptr) (void); void main () { unsigned char hellocode[] = "\x01\x00\xa0\xe3\x14\x10\x8f\xe2" "\x0c\x20\xa0\xe3\x04\x70\xa0\xe3" "\x00\x00\x00\xef\x00\x00\xa0\xe3" "\x01\x70\xa0\xe3\x00\x00\x00\xef" "hello world\n \0"; unsigned char buffcode[256] __attribute__ ((aligned (32))); fptr func; memcpy (buffcode, hellocode, 49); /* Convert the pointer to a function pointer */ func = (fptr) buffcode; /* flush contents of instruction and/or data cache */ syscall (__ARM_NR_cacheflush, buffcode, buffcode + 50, 0); /* Call the code in the buffer */ (*func) (); } </code></pre> <p><strong>Case 1: When stack is executable:</strong></p> <p>Compilation of program:</p> <pre><code>root@oss:shellcode_ final# arm-linux-gnueabi-gcc stack.c -z execstack -o stack_RWX </code></pre> <p>Reading ELF header:</p> <pre><code>root@oss:shellcode_final# arm-v7a9v3r0-linux-gnueabi-readelf -l stack_RWX Elf file type is EXEC (Executable file) Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4 </code></pre> <p>Running the program: As here stack is executable so XN bit will be cleared (0). And program will run normally.</p> <pre><code>ARM_Target#&gt; ./stack_RWX hello world </code></pre> <p><strong>Case 2: When stack is non executable:</strong></p> <p>Compilation of program:</p> <pre><code>root@oss:shellcode_ final# arm-v7a15v3r1-linux-gnueabi-gcc stack.c -o stack_RW </code></pre> <p>Reading ELF header:</p> <pre><code>root@oss:shellcode_final# arm-linux-gnueabi-readelf -l stack_RW Elf file type is EXEC (Executable file) Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4 </code></pre> <p>Running the program: As here XN bit is set (it is 1), so we will get segmentation fault in each case.</p> <pre><code>ARMtarget#&gt; ./stack_RW [ 39.092000] stack_RW: unhandled page fault (11) at 0xbeca8760, code 0x8000000f [ 41.000000] [VDLP COREDUMP] SIGNR:11 Segmentation fault (core dumped) </code></pre> <p><strong>Patch for Disabling XN bit in ARM:</strong> I have created a patch. In this patch we comment a section of assembly code. This is done in arch/arm/mm/proc-v7.S</p> <pre><code>#ifdef CONFIG_XN_SUPPORT tst r1, #L_PTE_XN orrne r3, r3, #PTE_EXT_XN #endif </code></pre> <p>If I deselect CONFIG_XN_SUPPORT option PTE_EXT_XN bit will be always be 0. So all binaries will be executed, whether the stack is executable or not.</p> <p>Running the program:</p> <pre><code>ARM_Target#&gt; ./stack_RWX hello world ARM_Target#&gt; ./stack_RW hello world </code></pre> <p><strong>Conclusion:</strong><br> XN bit is supported in Cortex-A15 ARMv7.</p>
    singulars
    1. This table or related slice is empty.
    1. POhow to check the hardware support of XN/XI bit support on ARM/MIPS platform
      singulars
      1. PTQuestion
    1. PTAnswer
    1. This table or related slice is empty.
    1. USGirish Gupta
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POhow to check the hardware support of XN/XI bit support on ARM/MIPS platform
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload