Greetings,

I'm doing some work on payloads, chaining, and returning from an elf image and have run into an 'interesting' problem.

Currently, when elfload sees that an image will overwrite LinuxBIOS, it moves everything (including the stack) up into high memory. So far, so good.

However, in the case where it will not overwrite, it leaves things alone. The problem comes in where the payload then loads an image over the stack. So, for example, LinuxBIOS loads payload at 0x1000-0x4000, payload loads image at 0x5000-0x10000 and BOOM.

The best bet is to have the first payload move the stack to the top of ram under the 4GB mark and somehow mark that memory as 'pre-boot reserved', meaning that bootloaders should leave it alone, but a final boot target such as Linux may use it after moving the stack.

The idea is to allow for chaining by having each stage reserve it's chunk of memory (including bounce buffer) at top of ram-reserved, then move reserved down. jmp_to_elf_entry then just worries about IP and leaves ESP and EBP alone.

Ideally, LinuxBIOS itself would create the stack high in the first place, but we are near the freeze, and the first stage payload can easily enough handle the ugliness and set a flag within baremetal to deal with this.

Any thoughts?

G'day, sjames

-- -------------------------steven james, director of research, linux labs ... ........ ..... .... 230 peachtree st nw ste 2701 the original linux labs atlanta.ga.us 30303 -since 1995 http://www.linuxlabs.com office 404.577.7747 fax 404.577.7743 -----------------------------------------------------------------------