Modifying PC in jmp_buf to go to another function

Question

For a user-lever thread library, I need to figure out jumping to a function by modifying PC value stored in jmp_buf.

This is what I have written:

jmp_buf env;

void print (void) {
 printf("\nHello World!");
}

 static int ptr_mangle(int p) {
        unsigned int ret;
        asm(" movl %1, %%eax;\n"
            " xorl %%gs:0x18, %%eax;"
            " roll $0x9, %%eax;"
            " movl %%eax, %0;"
        : "=r"(ret)
        : "r"(p)
        : "%eax"
        );
        return ret;
    }


int main() {
 int i = setjmp(env);
    env[0].__jmpbuf[5] = ptr_mangle(print);
 longjmp(env, 2);
    return 0;
}

I am trying to modify PC in jmp_buf by setting it to the address of the function I am trying to jump to. I am getting a segmentation fault. I am unable to figure out what exactly needs to be done. Do I need to modify SP as well?

Any help would be very much appreciated.

Answer 1

What are you trying to do? Are you not checking for the return value of setjmp? I don't think you are doing this correctly. Have a look at the sample code below to see what would be the output be:

#include <stdio.h>
#include <setjmp.h>
#include <stdlib.h>

void subroutine(jmp_buf);

int main(void)
{
   int value;
   jmp_buf jumper;

   value = setjmp(jumper);
   if (value != 0)
   {
      printf("Longjmp with value %d\n", value);
      exit(value);
   }
   printf("About to call subroutine ... \n");
   subroutine(jumper);

   return 0;
}

void subroutine(jmp_buf jumper)
{
   longjmp(jumper,1);
}

The output would be: About to call subroutine... Longjmp with a value of 1.

Which begs the question - why are you trying to modify the IP? It sounds like you overwrote something or the code 'jumped' off into the woods and trampled something and came back with a hard landing i.e. segfault.

The variable env is specifically a struct, do not use an array subscript as you have done. I suspect that is why you got a segfault...

Hope this helps, Best regards, Tom.