例如W^X detection、VMAP_STACK、THREAD_INFO_IN_TASK、read only after init等。THREAD_INFO_IN_TASK是一个典型缩小攻击面特性,将原本放在栈内存上的thread_info结构体,移到task struct全局变量中,防止攻击者通过stack overflow对thread_info结构体敏感数据(addr_limit)进行篡改。 漏洞利用防御和缓解。 例如为缓解堆...
调试/分析工具和其他工具 addr2line、ar、c++filt、gold、gprof、nm、objcopy、objdump、ranlib、readelf、size、strings、strip 需要针对每种 CPU 架构进行配置 交叉编译非常简单,不需要特殊的依赖项。 gcc:GNU Compiler Collection C、C++、Fortran、Go 等编译器前端 各种CPU 架构的编译器后端 Provides: 编译器本身。...
2017: "Linux kernel addr_limit bug / exploitation" by Vitaly Nikolenko [video] 2017: "The Stack Clash" by Qualys Research Team [article] 2017: "New Reliable Android Kernel Root Exploitation Techniques" [slides] 2017: "Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using...
Page fault的处理逻辑实际是: down_read(&mm->mmap_lock);__do_page_fault(mm, vma, addr, mm_flags, vm_flags, regs);up_read(&mm->mmap_lock); 由于mmap_sem是整个进程的,而一个进程里面说不定也有成千上万的VMA,然后大量的page fault以及其他的VMA的写操作行为,相互竞争锁,就导致大量的竞争延迟。
(struct sockaddr *)&daddr,sizeof(struct sockaddr_nl)); printf("send kernel :%s",msg); memset(&u_info, 0, sizeof(u_info)); len = sizeof(struct sockaddr_nl); //接收消息 recvfrom(sockfd,&u_info,sizeof(user_msg_info),0,(struct sockaddr *)&daddr,&len); printf("\n"); printf...
CONFIG_DEFAULT_MMAP_MIN_ADDR |kconfig| 65536 | kspp | self_protection | OK CONFIG_IOMMU_DEFAULT_DMA_STRICT |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_IOMMU_DEFAULT_PASSTHROUGH |kconfig| is not set | kspp | self_protection | OK ...
kernel_addr >> 3 + CONFIG_KASAN_SHADOW_OFFSET = kernel_addr对应的shadow_addr 四、利用 test driver程序验证 下面是一个简易的测试用例,用来测试kmalloc、page、全局变量、stack变量和vmalloc的内存踩踏 #include <linux/module.h> #include <linux/kernel.h> #include <linux/init.h> #include <linux/misc...
ddi_copyin((void *)req.addr, buf, req.size, 0); } static int dummy_ioctl (dev_t dev, int cmd, intptr_t arg, int mode, cred_t *cred_p, int *rval_p ) { switch (cmd) { […] case TEST_ALLOC_SLAB_BUF: alloc_heap_buf(arg); break; case TEST_FREE_SLAB_BUF: free_heap_...
/* Copy vectors to mask ROM indirect addr */ adr r0, _start @ r0 <- current position of code add r0, r0, #4 @ skip reset vector mov r2, #64 @ r2 <- size to copy add r2, r0, r2 @ r2 <- source end address mov r1, #SRAM_OFFSET0 @ build vect addr ...
#if (CONFIG_OMAP34XX) // 这个宏没有定义,下面的代码不会预编译/* Copy vectors to mask ROM indirect addr */adr r0, _start @ r0 <- current position of codeadd r0, r0, #4 @ skip reset vectormov r2, #64 @ r2 <- size to copyadd r2, r0, r2 @ r2 <- source end addressmov r1...