2

I am currently reverse a challenge to learn. But why is the parameter of mmap (containing fd) at 4294967295?

(Is it not supposed to exist? No files are open with open, just before.)

https://snag.gy/8LPqoh.jpg

Peter Mortensen
  • 143
  • 6
jukebox
  • 193
  • 1
  • 7

1 Answers1

6

The signature for mmap is

void *mmap(void *addr, size_t length, int prot, int flags, int fd, off_t offset);

4294967295 is same as -1 when treated as a signed integer.

The mmap calls actually looks like

mmap(
     NULL,                                /*addr*/
     321,                                 /*length*/
     PROT_EXEC | PROT_READ | PROT_WRITE,  /*prot*/
     MAP_ANONYMOUS | MAP_PRIVATE,         /*flags*/
     -1,                                  /*fd*/
     0                                    /*offset*/
)

Now as per the man pages,

MAP_ANONYMOUS

The mapping is not backed by any file; its contents are initialized to zero. The fd and offset arguments are ignored; however, some implementations require fd to be -1 if MAP_ANONYMOUS (or MAP_ANON) is specified, and portable applications should ensure this. The use of MAP_ANONYMOUS in conjunction with MAP_SHARED is only supported on Linux since kernel 2.4.

It says if MAP_ANONYMOUS is specified then we may use -1 as fd which explains your question.

0xec
  • 6,090
  • 3
  • 23
  • 33