New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect prototype of the clone syscall in pwnlib.shellcraft #2283
Comments
This is tricky to fix because the syscalls templates are generated once and shared between all architectures using a symlink. We could get rid of the symlinks and look into the |
This is exactly the problem, we generate the prototypes right from the man pages; if you have a solution, or even a prototype of a solution, feel free to submit a PR with it, or please share your ideas; this would really help shellcoding environments where you need clone(). |
Hey,
I noticed that the pwnlib.shellcraft.clone() implementation has the prototype of the glibc wrapper function, and invokes the syscall by this prototype, but should be calling the syscall by its raw prototype.
The clone() system call glibc wrapper function and the actual raw system call have different function prototypes, as mentioned in the man page:
From the documentation of pwnlib.shellcraft.clone():
Simple code snippet and output:
As you can see, in the above case (aarch64), the first argument passed is the fn pointer, when the syscall expects the flags argument. In the same way, the flags argument is passed as the parent_tid, and the fn argument is not even expected by the syscall.
Possible solutions would be to either implement the glibc wrapper function logic, or to edit the function prototype to match the raw syscall, per architecture.
The text was updated successfully, but these errors were encountered: