execve syscall returning EFAULT using 32bit call conventions on 64bit AMD.glob

1. execve syscall returning EFAULT using 32bit call conventions on 64bit AMD
2. .global main
3. main:
4. jmp two
5.  
6. one:
7. # zero rax and rdx
8. xor %rax,%rax
9. mov %rax,%rdx
10.  
11. # save string location
12. mov (%rsp),%rbx
13.  
14. # push argv array onto the stack
15. add $16, %rsp
16. push %rax
17. push %rbx
18. # assign argv pointer
19. mov %rsp,%rcx
20.  
21. # execve call
22. mov $0xb, %al
23. int $0x80
24.  
25. # exit on failure
26. xor %rax,%rax
27. xor %rbx,%rbx
28. movb $0x1,%al
29. int $0x80
30.  
31. two:
32. # get address of the string
33. call one
34. .string "/bin/date"
35.  
36. (gdb) info registers
37. rax 0xb 11
38. rbx 0x4000a0 4194464
39. rcx 0x7fffffffe968 140737488349544
40. rdx 0x0 0
41.  
42. (gdb) x/s $rbx
43. 0x4000a0: "/bin/date"
44.  
45. (gdb) x/s *$rcx
46. 0x4000a0: "/bin/date"
47.  
48. .global main
49. main:
50. jmp two
51.  
52. one:
53. # zero rax and rdx
54. xor %rax,%rax
55. mov %rax,%rdx
56.  
57. # save string location, note that %rdi is used instead of %rbx
58. pop %rdi
59.  
60. # push argv array onto the stack
61. add $16, %rsp
62. push %rax
63. push %rdi
64. # assign argv pointer, using %rsi instead of %rcx
65. mov %rsp,%rsi
66.  
67. # execve call, note that the syscall number is different than in 32bit
68. mov $0x3b, %al
69. syscall
70.  
71. two:
72. # get address of the string
73. call one
74. .string "/bin/date"
75.  
76. int execve(const char *filename,
77. char *const argv[],
78. char *const envp[]);
79.  
80. char *filename = "/bin/date";
81. char *argv [2] = {filename, NULL};
82. char *envp [1] = {NULL};
83.  
84. execve (filename, argv, envp);
85.  
86. char *filename = "/bin/date";
87.  
88. execve (filename, NULL); // note missing third parameter, and malformed argv[]