You need to understand that a thread/process context has multiple parts, one, directly associated with execution and is held in the CPU and certain system tables in memory that the CPU uses (e.g. page tables), and the other, which is needed for the OS, for bookkeeping (think of the various IDs, handles, special OS-specific permissions, … Read more
TL:DR: int 0x80 works when used correctly, as long as any pointers fit in 32 bits (stack pointers don’t fit). But beware that strace decodes it wrong unless you have a very recent strace + kernel. int 0x80 zeros r8-r11 for reasons, and preserves everything else. Use it exactly like you would in 32-bit code, … Read more
One example use would be I/O redirection. For this you fork a child process and close the stdin or stdout file descriptors (0 and 1) and then you do a dup() on another filedescriptor of your choice which will now be mapped to the lowest available file descriptor, which is in this case 0 or … Read more
syscall is the default way of entering kernel mode on x86-64. This instruction is not available in 32 bit modes of operation on Intel processors. sysenter is an instruction most frequently used to invoke system calls in 32 bit modes of operation. It is similar to syscall, a bit more difficult to use though, but … Read more
When your signal handler returns (assuming it doesn’t call exit or longjmp or something that prevents it from actually returning), the code will continue at the point the signal occurred, reexecuting the same instruction. Since at this point, the memory protection has not been changed, it will just throw the signal again, and you’ll be … Read more
Just a guess, but those numbers look more interesting in hex: 672274793 = 0x28121969 85072278 = 0x05121996 369367448 = 0x16041998 537993216 = 0x20112000 Developers’ or developers’ children’s birthdays? Regarding finding the syscall implementation, I did a git grep -n LINUX_REBOOT_MAGIC2 and found the definition in kernel/sys.c. The symbol sys_reboot is generated by the SYSCALL_DEFINE4(reboot, … … Read more
The dup system call duplicates an existing file descriptor, returning a new one that refers to the same underlying I/O object. Dup allows shells to implement commands like this: ls existing-file non-existing-file > tmp1 2>&1 The 2>&1 tells the shell to give the command a file descriptor 2 that is a duplicate of descriptor 1. … Read more
int means interrupt, and the number 0x80 is the interrupt number. An interrupt transfers the program flow to whomever is handling that interrupt, which is interrupt 0x80 in this case. In Linux, 0x80 interrupt handler is the kernel, and is used to make system calls to the kernel by other programs. The kernel is notified … Read more
The sbrksystem call moves the “border” of the data segment. This means it moves a border of an area in which a program may read/write data (letting it grow or shrink, although AFAIK no malloc really gives memory segments back to the kernel with that method). Aside from that, there’s also mmap which is used … Read more