1e824cc428f6ef4a68707e99119e4ff5f1764681enethercote#include <stdlib.h> 2e824cc428f6ef4a68707e99119e4ff5f1764681enethercote#include <unistd.h> 3e824cc428f6ef4a68707e99119e4ff5f1764681enethercote#include <sys/syscall.h> 4e824cc428f6ef4a68707e99119e4ff5f1764681enethercote 5e824cc428f6ef4a68707e99119e4ff5f1764681enethercoteint main(void) 6e824cc428f6ef4a68707e99119e4ff5f1764681enethercote{ 7e824cc428f6ef4a68707e99119e4ff5f1764681enethercote // uninitialised, but we know pi[0] is 0x0 8e824cc428f6ef4a68707e99119e4ff5f1764681enethercote int* pi = malloc(sizeof(int)); 9e824cc428f6ef4a68707e99119e4ff5f1764681enethercote 10e824cc428f6ef4a68707e99119e4ff5f1764681enethercote // uninitialised, but we know pc[0] points to 0x0 11e824cc428f6ef4a68707e99119e4ff5f1764681enethercote char** pc = malloc(sizeof(char*)); 12e824cc428f6ef4a68707e99119e4ff5f1764681enethercote 13e824cc428f6ef4a68707e99119e4ff5f1764681enethercote // Five errors: 14e824cc428f6ef4a68707e99119e4ff5f1764681enethercote // - the syscall number itself is undefined (but we know it's 15e824cc428f6ef4a68707e99119e4ff5f1764681enethercote // 0 + __NR_write :) 16e824cc428f6ef4a68707e99119e4ff5f1764681enethercote // - each of the scalar args are undefined 17e824cc428f6ef4a68707e99119e4ff5f1764681enethercote // - the 2nd arg points to unaddressable memory. 18e824cc428f6ef4a68707e99119e4ff5f1764681enethercote syscall(pi[0]+__NR_write, pi[0], pc[0], pi[0]+1); 19e824cc428f6ef4a68707e99119e4ff5f1764681enethercote 20e824cc428f6ef4a68707e99119e4ff5f1764681enethercote return 0; 21e824cc428f6ef4a68707e99119e4ff5f1764681enethercote} 22e824cc428f6ef4a68707e99119e4ff5f1764681enethercote 23