Changes between Version 16 and Version 17 of Dev/KernelHack/COINS/worklog/201111

Timestamp:

Nov 25, 2011 2:45:55 AM (13 years ago)

Author:

mitty

Comment:

--

Dev/KernelHack/COINS/worklog/201111

@@ -3588 +3588 @@
 Continuing.
 }}}
+
+ = 11/24 =
+ == improve read function of /proc ==
+ * [http://wiki.bit-hive.com/tomizoo/pg/proc%20fs%20%A4%F2%BB%C8%A4%C3%A4%BF%A5%AB%A1%BC%A5%CD%A5%EB%BE%F0%CA%F3%A4%CE%C9%BD%BC%A8 proc fs を使ったカーネル情報の表示 - とみぞーノート]
+ * [http://wiki.bit-hive.com/tomizoo/pg/proc%20fs%20%A4%F2%BB%C8%A4%C3%A4%BF%A5%AB%A1%BC%A5%CD%A5%EB%BE%F0%CA%F3%A4%CE%C9%BD%BC%A8%20%A4%BD%A4%CE2 proc fs を使ったカーネル情報の表示 その2 - とみぞーノート]
+
+ === check how stackmod_proc_read works ===
+ * s0711489@ubuntu-lucid64:~$ sudo insmod stackmod.ko
+ * s0711489@ubuntu-lucid64:~$ cat /sys/module/stackmod/sections/.text
+{{{
+0xffffffffa005c000
+}}}
+ * s0711489@ubuntu-lucid64:~$ cat /sys/module/stackmod/sections/.data
+{{{
+0xffffffffa005c738
+}}}
+ * s0711489@ubuntu-lucid64:~$ cat /sys/module/stackmod/sections/.bss
+{{{
+0xffffffffa005c970
+}}}
+
+ * gdb
+{{{
+(gdb) file vmlinux
+Reading symbols from /home/ugrad/07/s0711489/coursework/KernelHack/linux-2.6.35.14/x86_64/vmlinux...(no debugging symbols found)...done.
+(gdb) add-symbol-file ../../04/stackmod/stackmod.o 0xffffffffa005c000 -s .data 0xffffffffa005c738 -s .bss 0xffffffffa005c970
+add symbol table from file "../../04/stackmod/stackmod.o" at
+        .text_addr = 0xffffffffa005c000
+        .data_addr = 0xffffffffa005c738
+        .bss_addr = 0xffffffffa005c970
+(y or n) y
+Reading symbols from /home/ugrad/07/s0711489/coursework/KernelHack/04/stackmod/stackmod.o...done.
+(gdb) target remote localhost:8864
+Remote debugging using localhost:8864
+0xffffffff810097a9 in native_safe_halt ()
+    at /home/ugrad/07/s0711489/coursework/KernelHack/linux-2.6.35.14/x86_64/arch
+/x86/include/asm/irqflags.h:49
+49              asm volatile("sti; hlt": : :"memory");
+(gdb) b
+Breakpoint 1 at 0xffffffff810097a9: file /home/ugrad/07/s0711489/coursework/Kern
+elHack/linux-2.6.35.14/x86_64/arch/x86/include/asm/irqflags.h, line 49.
+(gdb) d
+Delete all breakpoints? (y or n) y
+(gdb) b stackmod_proc_read
+
+Breakpoint 2 at 0xffffffffa005c1cd: file /home/ugrad/07/s0711489/coursework/KernelHack/04/stackmod/stackmod.c, line 153.
+(gdb) c
+Continuing.
+
+Breakpoint 2, stackmod_proc_read (page=0xffff88001d90c000 "\300\300\220\035",
+    start=0xffff88001ad5fe90, off=0, count=3072, eof=0xffff88001ad5fe9c,
+    data=0x0)
+    at /home/ugrad/07/s0711489/coursework/KernelHack/04/stackmod/stackmod.c:153
+153     ) {
+(gdb) p *eof
+$1 = 0
+(gdb) p *start
+$2 = 0x0
+(gdb) n
+156             outlen = sprintf(page, "stack: %d\n", stack.depth);
+(gdb)
+153     ) {
+(gdb)
+156             outlen = sprintf(page, "stack: %d\n", stack.depth);
+(gdb)
+157             *eof = 1;
+(gdb)
+156             outlen = sprintf(page, "stack: %d\n", stack.depth);
+(gdb)
+159             printk(KERN_DEBUG "/proc/" PROCNAME " is read\n");
+(gdb)
+162     }
+(gdb)
+__proc_file_read (file=<value optimized out>,
+    buf=0x1658000 <Address 0x1658000 out of bounds>, nbytes=32768,
+    ppos=0xffff88001ad5ff48) at fs/proc/generic.c:125
+125                     if (n == 0)   /* end of file */
+(gdb) p *eof
+Cannot access memory at address 0x1
+(gdb) bt
+#0  __proc_file_read (file=<value optimized out>,
+    buf=0x1658000 <Address 0x1658000 out of bounds>, nbytes=32768,
+    ppos=0xffff88001ad5ff48) at fs/proc/generic.c:125
+#1  proc_file_read (file=<value optimized out>,
+    buf=0x1658000 <Address 0x1658000 out of bounds>, nbytes=32768,
+    ppos=0xffff88001ad5ff48) at fs/proc/generic.c:201
+#2  0xffffffff81124b07 in proc_reg_read (file=0xffff88001ad6dcc0,
+    buf=0x1658000 <Address 0x1658000 out of bounds>, count=32768,
+    ppos=0xffff88001ad5ff48) at fs/proc/inode.c:163
+#3  0xffffffff810df784 in vfs_read (file=0xffff88001ad6dcc0,
+    buf=0x1658000 <Address 0x1658000 out of bounds>, count=14135,
+    pos=0xffff88001ad5ff48) at fs/read_write.c:310
+#4  0xffffffff810dfa2b in sys_read (fd=<value optimized out>,
+    buf=0x1658000 <Address 0x1658000 out of bounds>, count=32768)
+    at fs/read_write.c:400
+#5  0xffffffff810029eb in ?? ()
+#6  0x0000000000000246 in ?? ()
+#7  0x00007fffbfae3c10 in ?? ()
+#8  0x0000000000000000 in ?? ()
+(gdb) p start
+$3 = 0x0
+(gdb) p eof
+$4 = 1
+(gdb) p n
+$5 = <value optimized out>
+(gdb) p count
+$6 = <value optimized out>
+(gdb) n
+120                             n = dp->read_proc(page, &start, *ppos,
+(gdb)
+127                     if (n < 0) {  /* error */
+(gdb)
+133                     if (start == NULL) {
+(gdb)
+134                             if (n > PAGE_SIZE) {
+(gdb)
+139                             n -= *ppos;
+(gdb)
+140                             if (n <= 0)
+(gdb)
+141                                     break;
+(gdb)
+144                             start = page + *ppos;
+(gdb)
+170             might_sleep();
+(gdb)
+68              return _copy_to_user(dst, src, size);
+(gdb) f
+#0  __proc_file_read (file=<value optimized out>,
+    buf=0x1658000 <Address 0x1658000 out of bounds>,
+    nbytes=<value optimized out>, ppos=0xffff88001ad5ff48)
+    at /home/ugrad/07/s0711489/coursework/KernelHack/linux-2.6.35.14/x86_64/arch/x86/include/asm/uaccess_64.h:68
+68              return _copy_to_user(dst, src, size);
+(gdb) n
+171                     if (n == 0) {
+(gdb) p n
+$7 = <value optimized out>
+(gdb) n
+170                     n -= copy_to_user(buf, start < page ? page : start, n);
+(gdb)
+171                     if (n == 0) {
+(gdb)
+177                     *ppos += start < page ? (unsigned long)start : n;
+(gdb)
+178                     nbytes -= n;
+(gdb)
+179                     buf += n;
+(gdb)
+180                     retval += n;
+(gdb)
+68              while ((nbytes > 0) && !eof) {
+(gdb) p eof
+$8 = 1
+(gdb)
+$9 = 1
+(gdb) n
+182             free_page((unsigned long) page);
+(gdb)
+proc_file_read (file=<value optimized out>, buf=0x1658009 "", nbytes=9,
+    ppos=0xffff88001ad5ff48) at fs/proc/generic.c:203
+203             pde_users_dec(pde);
+(gdb) bt
+#0  proc_file_read (file=<value optimized out>, buf=0x1658009 "", nbytes=9,
+    ppos=0xffff88001ad5ff48) at fs/proc/generic.c:203
+#1  0xffffffff81124b07 in proc_reg_read (file=0xffff88001ad6dcc0,
+    buf=0x1658000 "stack: 0\n", count=32768, ppos=0xffff88001ad5ff48)
+    at fs/proc/inode.c:163
+#2  0xffffffff810df784 in vfs_read (file=0xffff88001ad6dcc0,
+    buf=0x1658000 "stack: 0\n", count=18446612132341573168,
+    pos=0xffff88001ad5ff48) at fs/read_write.c:310
+#3  0xffffffff810dfa2b in sys_read (fd=<value optimized out>,
+    buf=0x1658000 "stack: 0\n", count=32768) at fs/read_write.c:400
+#4  0xffffffff810029eb in ?? ()
+#5  0x0000000000000246 in ?? ()
+#6  0x00007fffbfae3c10 in ?? ()
+#7  0x0000000000000000 in ?? ()
+(gdb) n
+205     }
+(gdb)
+proc_reg_read (file=0xffff88001ad6dcc0, buf=0x1658000 "stack: 0\n",
+    count=32768, ppos=0xffff88001ad5ff48) at fs/proc/inode.c:165
+165             pde_users_dec(pde);
+(gdb)
+167     }
+(gdb) c
+Continuing.
+
+Breakpoint 2, stackmod_proc_read (page=0xffff88001d90c000 "stack: 0\n",
+    start=0xffff88001ad5fe90, off=9, count=3072, eof=0xffff88001ad5fe9c,
+    data=0x0)
+    at /home/ugrad/07/s0711489/coursework/KernelHack/04/stackmod/stackmod.c:153
+153     ) {
+(gdb) bt
+#0  stackmod_proc_read (page=0xffff88001d90c000 "stack: 0\n",
+    start=0xffff88001ad5fe90, off=9, count=3072, eof=0xffff88001ad5fe9c,
+    data=0x0)
+    at /home/ugrad/07/s0711489/coursework/KernelHack/04/stackmod/stackmod.c:153
+#1  0xffffffff811291f4 in __proc_file_read (file=<value optimized out>,
+    buf=0x1658000 "stack: 0\n", nbytes=32768, ppos=0xffff88001ad5ff48)
+    at fs/proc/generic.c:120
+#2  proc_file_read (file=<value optimized out>, buf=0x1658000 "stack: 0\n",
+    nbytes=32768, ppos=0xffff88001ad5ff48) at fs/proc/generic.c:201
+#3  0xffffffff81124b07 in proc_reg_read (file=0xffff88001ad6dcc0,
+    buf=0x1658000 "stack: 0\n", count=32768, ppos=0xffff88001ad5ff48)
+    at fs/proc/inode.c:163
+#4  0xffffffff810df784 in vfs_read (file=0xffff88001ad6dcc0,
+    buf=0x1658000 "stack: 0\n", count=9, pos=0xffff88001ad5ff48)
+    at fs/read_write.c:310
+#5  0xffffffff810dfa2b in sys_read (fd=<value optimized out>,
+    buf=0x1658000 "stack: 0\n", count=32768) at fs/read_write.c:400
+#6  0xffffffff810029eb in ?? ()
+#7  0x0000000000000246 in ?? ()
+#8  0x00007fffbfae3be0 in ?? ()
+#9  0x0000000000000000 in ?? ()
+(gdb) p eof
+$10 = (int *) 0xffff88001ad5fe9c
+(gdb) p *eof
+$11 = 0
+(gdb) info frame
+Stack level 0, frame at 0xffff88001ad5fe68:
+ rip = 0xffffffffa005c1cd in stackmod_proc_read
+    (/home/ugrad/07/s0711489/coursework/KernelHack/04/stackmod/stackmod.c:153); saved rip 0xffffffff811291f4
+ called by frame at 0xffff88001ad5fed8
+ source language c.
+ Arglist at 0xffff88001ad5fe58, args: page=0xffff88001d90c000 "stack: 0\n",
+    start=0xffff88001ad5fe90, off=9, count=3072, eof=0xffff88001ad5fe9c,
+    data=0x0
+ Locals at 0xffff88001ad5fe58, Previous frame's sp is 0xffff88001ad5fe68
+ Saved registers:
+  rip at 0xffff88001ad5fe60
+(gdb) info local
+No locals.
+(gdb) info locals
+No locals.
+(gdb) n
+156             outlen = sprintf(page, "stack: %d\n", stack.depth);
+(gdb) p outlen
+$12 = <value optimized out>
+(gdb) n
+153     ) {
+(gdb)
+156             outlen = sprintf(page, "stack: %d\n", stack.depth);
+(gdb)
+157             *eof = 1;
+(gdb)
+156             outlen = sprintf(page, "stack: %d\n", stack.depth);
+(gdb)
+159             printk(KERN_DEBUG "/proc/" PROCNAME " is read\n");
+(gdb)
+162     }
+(gdb) p *eof
+$13 = 1
+(gdb) n
+__proc_file_read (file=<value optimized out>, buf=0x1658000 "stack: 0\n",
+    nbytes=32768, ppos=0xffff88001ad5ff48) at fs/proc/generic.c:125
+125                     if (n == 0)   /* end of file */
+(gdb) c
+Continuing.
+}}}
+
+ === read stack.data.length ===
+ * s0711489@ubuntu-lucid64:~$ sudo insmod stackmod.ko
+ * s0711489@ubuntu-lucid64:~$ cat /proc/stackmod
+{{{
+stack: 0
+}}}
+ * s0711489@ubuntu-lucid64:~$ sudo mknod /dev/stack c 251 0
+ * s0711489@ubuntu-lucid64:~$ sudo chmod 666 /dev/stack
+ * s0711489@ubuntu-lucid64:~$ ls -l
+{{{
+-rw-r--r-- 1 s0711489 s0711489 128657 2011-11-24 01:30 stackmod.ko
+}}}
+ * s0711489@ubuntu-lucid64:~$ cat stackmod.ko > /dev/stack
+ * s0711489@ubuntu-lucid64:~$ cat /proc/stackmod
+{{{
+stack: 4
+stack.data[0].length:  32768
+stack.data[1].length:  32768
+stack.data[2].length:  32768
+stack.data[3].length:  30353
+}}}
+
+ === read /proc causes buffer overflow with deep stack ===
+ * s0711489@ubuntu-lucid64:~$ sudo rmmod stackmod
+ * s0711489@ubuntu-lucid64:~$ sudo insmod stackmod.ko entry=1000
+ * s0711489@ubuntu-lucid64:~$ dd if=/dev/zero of=/dev/stack
+{{{
+dd: writing to `/dev/stack': No space left on device
+1001+0 records in
+1000+0 records out
+512000 bytes (512 kB) copied, 0.0240922 s, 21.3 MB/s
+}}}
+ * s0711489@ubuntu-lucid64:~$ cat /proc/stackmod
+{{{
+stack: 1000
+stack.data[0].length:    512
+stack.data[1].length:    512
+stack.data[2].length:    512
+stack.data[3].length:    512
+stack.data[4].length:    512
+
+(snip)
+
+stack.data[132].length:    512
+stack.data[133].length:    512
+stack.data[134].length:    512
+}}}
+ * s0711489@ubuntu-lucid64:~$ tailf /var/log/kern.log
+{{{
+Nov 24 01:48:53 ubuntu-lucid64 kernel: [ 1509.351094] /proc/stackmod is read
+Nov 24 01:48:53 ubuntu-lucid64 kernel: [ 1509.351673] proc_file_read: Apparent buffer overflow!
+Nov 24 01:48:53 ubuntu-lucid64 kernel: [ 1509.351898] /proc/stackmod is read
+Nov 24 01:48:53 ubuntu-lucid64 kernel: [ 1509.352482] proc_file_read: Apparent buffer overflow!
+Nov 24 01:48:53 ubuntu-lucid64 kernel: [ 1509.353412] /proc/stackmod is read
+Nov 24 01:48:53 ubuntu-lucid64 kernel: [ 1509.353971] proc_file_read: Apparent buffer overflow!
+}}}