Calling SVC is not safe.

Question

Calling SVC is not safe.

Opened this issue 10 years ago · 2 comments

We have SVC function in C with attribute((naked)) and inline assembly.

int __attribute__((naked))
arm11_kernel_exploit_exec (int (*func)(void))
{
    __asm__ ("svc 8\t\n" // CreateThread syscall, corrupted, args not needed
             "bx lr\t\n");
}

int __attribute__((naked))
arm11_kernel_execute(int (*func)(void))
{
    __asm__ ("svc #0x7B\t\n"
             "bx lr\t\n");
}

But they are not safe because they can be inlined.
If inlined, the arguments will be completely ignored!
We don't have so many calls, so I suggest we remove those functions and write directly.
For example:

__asm__("ldr a0, =%0\n"
    "svc #8\n",
    : "I"(arm11_kernel_exploit_exec));

Answer 1 · 2015-03-18T22:51:34.000Z

Or use volatile, that will make it assembly as-is.

Answer 2 · 2015-03-19T00:08:52.000Z

The problem is not asm.
Those functions are not inline-expanded because they don't have static suffix. But once they get inline-expanded, arguments will be completely ignored.

int __attribute__((naked))
arm11_kernel_execute(int (*func)(void)) // <- This is the problem.