Copying part of the stack and using mmap to map it to the current process

I want my program to do the following:

1. Open a new file.
2. Copy a (page-aligned) portion of the stack that includes the current frame pointer address to the file.
3. Map the contents of the file back into the p开发者_开发知识库rocess's address space in the same range as that of the original portion of the stack, so that the process will use the file for that part of its stack rather than the region of memory the system had originally allocated to it for the stack.

Below is my code. I am getting a segmentation fault on the call to mmap, specifically where mmap makes the system call with vsyscall. (I am working with gcc 4.4.3, glibc 2.11.1, under Ubuntu Server (x86-64). I have compiled and run both with 64-bit and 32-bit configurations, with the same results.

#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <stdint.h>
#include <string.h>
#include <sys/mman.h>
#include <assert.h>
#include <unistd.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/wait.h>

#define PAGE_SIZE 0x1000
#define FILENAME_LENGTH 0x10
#if defined ARCH && ARCH == 32
#define PAGE_SIZE_COMPLEMENT 0xfffff000
#define UINT uint32_t
#define INT int32_t
#define BP "ebp"
#define SP "esp"
#define X_FORMAT "%x"
#else
#define PAGE_SIZE_COMPLEMENT 0xfffffffffffff000
#define UINT uint64_t
#define INT int64_t
#define BP "rbp"
#define SP "rsp"
#define X_FORMAT "%lx"
#endif
#define PAGE_ROUND_UP(v) (((v) + PAGE_SIZE - 1) & PAGE_SIZE_COMPLEMENT)
#define PAGE_ROUND_DOWN(v) ((v) & PAGE_SIZE_COMPLEMENT)


UINT stack_low, stack_high, stack_length;

void find_stack_high(void) {

    UINT bp = 0;
    UINT raw_stack_high = 0;

    /* Set the global stack high to the best
     * approximation.
     */

    asm volatile ("mov %%"BP", %0" : "=m"(bp));
    while (bp) {
        raw_stack_high = bp;
        bp = *(UINT *)bp;
    }
    stack_high = PAGE_ROUND_UP(raw_stack_high);
}


int file_create(void) {

    int fd;
    char filename[FILENAME_LENGTH];

    strcpy(filename, "tmp.XXXXXX");
    fd = mkstemp(filename);
    if (fd == -1) {
        perror("file_create:mkstemp");
        exit(EXIT_FAILURE);
    }

    unlink(filename);  
    return fd;
}


int main(void) {


    int fd, bytes_written;
    UINT bp;
    off_t offset;

    printf("In main\n");

    fd = file_create();
    printf("fd %d\n", fd);

    find_stack_high();

    // Get the current frame pointer.

    asm volatile ("mov %%"BP", %0" : "=m" (bp));

    // Store page boundary below 
    // frame pointer as end of potentially shared stack.

    stack_low = PAGE_ROUND_DOWN(bp);
    stack_length = stack_high - stack_low;

    printf("start "X_FORMAT"   end "X_FORMAT"   length "X_FORMAT"\n",
           stack_low, stack_high, stack_length);

    bytes_written = 
        write(fd, (const void *)stack_low, PAGE_SIZE);
    if (bytes_written != PAGE_SIZE) {
        perror("main: write");
        fprintf(stderr, "Num bytes: %x\n", bytes_written);
        exit(EXIT_FAILURE);
    }

    offset = 0;

    if (mmap((void *)stack_low, PAGE_SIZE, PROT_READ | PROT_WRITE,
         MAP_SHARED | MAP_FIXED | MAP_GROWSDOWN, fd, offset) ==
        MAP_FAILED) {
        perror("file_copy: mmap");
        exit(EXIT_FAILURE);
    }

    close(fd);

    return EXIT_SUCCESS;
}

Thanks!

---

The stack changes (e.g. the return address for the mmap call) after you copied it. I can think of 2 possible ways around this:

1. Write asm that doesn't need the stack to perform the new mapping.
2. Call into a function with some huge local data so that the working stack is on a different page from the pages you're mapping over. Then, you could map over the lower addresses with a second call to mmap once this function returns.

Whatever you do, this is a horrible hack and probably a bad idea..

---

Tried turning on execute permission? In any case, the symptom suggests that you've managed to map in over the top of the stack, destroying the return pointer.