/g/ - syscall of the day: mmap - Technology


08/21/20	New boards added: /vrpg/, /vmg/, /vst/ and /vm/
05/04/17	New trial board added: /bant/ - International/Random
10/04/16	New board for 4chan Pass users: /vip/ - Very Important Posts
[Hide] [Show All]

Anonymous
syscall of the day: mmap 01/12/26(Mon)06:25:35 No.107841306

File: 2025_09_27.jpg (997 KB, 2480x3506)

syscall of the day: mmap Anonymous 01/12/26(Mon)06:25:35 No.107841306

previous: >>107833909
#define __NR_mmap                9
this is probably my favorite syscall of all time. we could spend weeks discussing this alone. it is extremely powerful, versatile, and widely used. not to mention, it's one of the (somewhat) rare six argument syscalls. some potential points of discussion:
> the addr argument, and its use without flags, with MAP_FIXED, and with MAP_FIXED_NOREPLACE
> file-backed vs anonymous mappings
> the concept of pages, page sizing, and alignment
> guard pages and PROT_NONE
> the actual meaning of SIGSEGV, and how there's more to segfaults than simply process crashes
> core dumps and stack traces
> other related signals, such as SIGBUS
> MAP_GROWSDOWN and the stack
> the use of mmap (as opposed to brk) for allocation via the *alloc family
> manual memory management vs an allocation scheme
> should PROT_WRITE and/or PROT_EXEC imply PROT_READ?
> the relationship between memory maps across processes after calls to clone/fork/etc
> and so on

relevant resources:
man man
man syscalls
https://man7.org/linux/man-pages/
https://linux.die.net/man/
https://elixir.bootlin.com/linux/
https://elixir.bootlin.com/musl/
https://elixir.bootlin.com/glibc/

Anonymous
01/12/26(Mon)06:35:46 No.107841368

Anonymous 01/12/26(Mon)06:35:46 No.107841368

based syscall of the day poster

Anonymous
01/12/26(Mon)07:35:50 No.107841618

Anonymous 01/12/26(Mon)07:35:50 No.107841618

>>107841368
hanging in there

Anonymous
01/12/26(Mon)09:20:31 No.107842241

Anonymous 01/12/26(Mon)09:20:31 No.107842241

bampu

Anonymous
01/12/26(Mon)09:25:10 No.107842273

Anonymous 01/12/26(Mon)09:25:10 No.107842273

bompe

Anonymous
01/12/26(Mon)09:29:09 No.107842307

Anonymous 01/12/26(Mon)09:29:09 No.107842307

reddit

Anonymous
01/12/26(Mon)09:29:34 No.107842309

Anonymous 01/12/26(Mon)09:29:34 No.107842309

what a shit useless thread

Anonymous
01/12/26(Mon)09:35:36 No.107842351

Anonymous 01/12/26(Mon)09:35:36 No.107842351

mmap is fun, i realized the other day that you can run dynamically generated assembly using the PROT_EXEC flag

#include <stdint.h>
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>

// I compiled previously this using compiler explorer
// int times2(int val);
static const uint8_t buff[] = {
  // lea eax, [rdi+rdi*1]
  0x8d, 0x04, 0x3f,
  // ret
  0xc3,
};

static void* make_dynamic_func(const void* data, size_t sz) {
  void* ptr = mmap(NULL, sz, PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
  memcpy(ptr, data, sz);
  return ptr;
}

int main() {
  int (*times2)(int val) = make_dynamic_func(buff, sizeof(buff));
  int value = times2(2);
  printf("%d\n", value); // prints 4
}

Anonymous
01/12/26(Mon)09:36:06 No.107842355

Anonymous 01/12/26(Mon)09:36:06 No.107842355

ops_mum = open("/dev/mum/op", O_RDWR);
mmap(my_bedroom, 0, PROT_WRITE, MAP_SHARED, ops_mum, 0);

Anonymous
01/12/26(Mon)09:40:08 No.107842381

Anonymous 01/12/26(Mon)09:40:08 No.107842381

>>107842351
1) at that point, it's machine code, not assembly :) not many can say they have handwritten machine code! it's quite cool
2) you can do it other ways, too, like with execstack or mprotect

Anonymous
01/12/26(Mon)09:40:13 No.107842382

Anonymous 01/12/26(Mon)09:40:13 No.107842382

>>107842351
Can't wait for Cniles to pump their fizzbuzz full of RCEs to own the rustrannies.

Anonymous
01/12/26(Mon)09:59:38 No.107842552

Anonymous 01/12/26(Mon)09:59:38 No.107842552

>>107842351
>>107842381
if i can make some gentle suggestions, though:

#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
#include <unistd.h>

/** x86_64 machine code for `int times2(int x)` */
static const uint8_t times2_impl[] = {
  // lea eax, [rdi+rdi*1]
  0x8d, 0x04, 0x3f,
  // ret
  0xc3,
};

static void *_make_dynamic_times2(const void *const data, size_t size)
{
    const int rw = PROT_READ | PROT_WRITE;
    const int rx = PROT_READ | PROT_EXEC;
    const int flags = MAP_PRIVATE | MAP_ANONYMOUS;

    int ret = -1;
    void *map = MAP_FAILED;

    size = ((size + (getpagesize() - 1)) / getpagesize()) * getpagesize();
    map = mmap(NULL, size, rw, flags, -1, 0);
    if (map == MAP_FAILED)
    {
        return NULL;
    }

    (void)memcpy(map, data, size);
    ret = mprotect(map, size, rx);
    if (ret != 0)
    {
        (void)munmap(map, size);
        return NULL;
    }

    return map;
}

int main()
{
    int (*times2)(int) = NULL;
    int doubled = -1;

    times2 = _make_dynamic_times2(times2_impl, sizeof(times2_impl));
    if (!times2)
    {
        return -1;
    }

    doubled = times2(2);
    printf("%d\n", doubled);  // want `4`
    return (doubled == (2 * 2) ? 0 : -1);
}

apologies for any formatting errors; i am a dirty phoneposter

Anonymous
01/12/26(Mon)10:13:30 No.107842661

Anonymous 01/12/26(Mon)10:13:30 No.107842661

>>107842552
looks a whole lot better, i didn't bother with the page size just to show the main idea
wouldn't the mprotect be redundant if we already set the PROT_EXEC when calling to mmap? or is there a difference?

Anonymous
01/12/26(Mon)10:20:47 No.107842742

Anonymous 01/12/26(Mon)10:20:47 No.107842742

>>107842661
if you look closely, the first one is rw, while the second is rx :)
this is just because it's best practice to avoid leaving rwx mappings lying around. not really a big deal in this toy example, though

Anonymous
01/12/26(Mon)10:50:40 No.107842984

Anonymous 01/12/26(Mon)10:50:40 No.107842984

i'm quite surprised that poll seemed to attract more attention than mmap. i guess maybe not everyone is as fond of it as i am

Anonymous
01/12/26(Mon)10:52:28 No.107843002

Anonymous 01/12/26(Mon)10:52:28 No.107843002

File: tei_dumb.jpg (19 KB, 250x251)

19 KB JPG

>>107842742
oh i didn't notice that lmao
i'm curious, how common is it to find vulnerabilities related to executable memory pages?

Anonymous
01/12/26(Mon)10:55:44 No.107843030

Anonymous 01/12/26(Mon)10:55:44 No.107843030

>>107842984
i remember there was one mmap schizo around here sometimes, he might show up later if he's not on vacation

Anonymous
01/12/26(Mon)10:59:18 No.107843052

Anonymous 01/12/26(Mon)10:59:18 No.107843052

>>107843002
these days, probably pretty rare. it's uncommon for developers to have to use mmap manually in production software, so in most cases they never even have the opportunity to fuck it up. for those who do decide to use it, they ideally know what they're doing and so are a bit more careful about it
a lot of JIT compilers face these and similar issues, though, if that's something that interests you
>>107843030
that would be... interesting. i hesitate to say nice, since you describe him as a schizo.....

Anonymous
01/12/26(Mon)11:06:06 No.107843109

Anonymous 01/12/26(Mon)11:06:06 No.107843109

>>107843002
>>107843052
specifically, https://en.wikipedia.org/wiki/Just-in-time_compilation#Security
> ... arbitrary memory cannot be executed, as otherwise there is a potential security hole. Thus memory must be marked as executable; for security reasons this should be done after the code has been written to memory, and marked read-only ...

Name
Options
Comment
Verification	4chan Pass users can bypass this verification. [Learn More] [Login]
File
Please read the Rules and FAQ before posting. You may highlight syntax and preserve whitespace by using [code] tags.