Skip to content

Instantly share code, notes, and snippets.

@quant61

quant61/call_nil_func.go

Last active January 15, 2023 19:48
Show Gist options
  • Save quant61/419fc25cbbe462749d802511d0bff112 to your computer and use it in GitHub Desktop.
Save quant61/419fc25cbbe462749d802511d0bff112 to your computer and use it in GitHub Desktop.
Download ZIP
Allocating on zero example
Raw
readme.md

Example of allocating zero page

With root it's possible to allocate a page on zero address

If a page on zero is allocated, access to nil pointer doesn't trigger segv, so some code starts behaving in a strange way.

nil pointers start showing some data which is shared between all of them.

Thanks to this post https://t.me/gepardchan/8

Raw
call_nil_func.go
package main
import (
"fmt"
"golang.org/x/sys/unix"
)
func main(){
_, _, e := unix.Syscall6(
unix.SYS_MMAP,
0,
0x1000,
unix.PROT_READ|unix.PROT_WRITE|unix.PROT_EXEC,
unix.MAP_ANON|unix.MAP_FIXED|unix.MAP_PRIVATE,
0,
0,
)
if e != 0 {
panic(e)
}
var f func()
f()
}
Raw
error.txt
unexpected fault address 0x1000
fatal error: fault
[signal SIGSEGV: segmentation violation code=0x1 addr=0x1000 pc=0x1000]
goroutine 1 [running]:
runtime.throw({0x475f68?, 0xc000108f08?})
/usr/lib/go-1.18/src/runtime/panic.go:992 +0x71 fp=0xc000108ed0 sp=0xc000108ea0 pc=0x42db71
runtime.sigpanic()
/usr/lib/go-1.18/src/runtime/signal_unix.go:825 +0x2ec fp=0xc000108f20 sp=0xc000108ed0 pc=0x44162c
main.main()
/mnt/tmpfs/gotmp1/0.go:24 +0x6d fp=0xc000108f80 sp=0xc000108f20 pc=0x46302d
runtime.main()
/usr/lib/go-1.18/src/runtime/proc.go:250 +0x212 fp=0xc000108fe0 sp=0xc000108f80 pc=0x430292
runtime.goexit()
/usr/lib/go-1.18/src/runtime/asm_amd64.s:1571 +0x1 fp=0xc000108fe8 sp=0xc000108fe0 pc=0x457041
exit status 2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment