I am suddenly curious about something.
shared libraries such as glibc(in Linux), kernel32.dll(in Windows) are physically shared among processes. however, since these libraries are located(mapped) in user virtual memory address space, I think a malicious process could change the access property of shared library memory region as write-enabled and mess up every contents to crash all the other process sharing them.
I performed following experiment in Linux, and system didn't crashed.
below is my test source code.
meltdown@ubuntu:/tmp$ cat a.c
#include <stdio.h>
#include <sys/mman.h>
#include <stdlib.h>
int g=0;
int main(int argc, char* argv[]){
int* a = (int*)strtoul(argv[1], 0, 16);
printf("globals : %p\n", &g);
printf("a : %p\n", a);
mprotect( a, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC);
int i=0;
for(i=0; i<0x3f0; i++){
*(a+i)=0;
}
printf("done?\n");
while(1);
return 0;
}
meltdown@ubuntu:/tmp$
before I ran this program. I located the virtual address of libc.so.6
(I set my kernel not to use ASLR)
meltdown@ubuntu:/tmp$ ldd a
linux-gate.so.1 => (0xb7fff000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e37000)
/lib/ld-linux.so.2 (0x80000000)
after confirming the address of libc I tried to overwrite some part of them with NULL's
meltdown@ubuntu:/tmp$ ./a 0xb7e37000
globals : 0x804a030
a : 0xb7e37000
done?
^C
meltdown@ubuntu:/tmp$
since the libc is shared in physical memory, I assume if I successfully overwrite the memory of libc, the system will crash. however, the system is just fine.
I think something has happened in here for preventing what I intended.
can someone explain me why the system is not crashed?
thank you in advance.
ps. I am not talking about NX or DEP. please don't confuse. I am talking about overwriting the shared library memory region with full access permission(say root process uses mprotect(..., ..., PROT_READ|PROT_WRITE|PROT_EXEC)...