All geek questions in one place

Copy function from user space to kernel and execute

First of all, I do it for pleasure, so do not judge me.

What I did was pass the function pointer from user space to the kernel, copy the body of the function using copy_from_user to a static array in the kernel, and start jumping in that array to execute.

in the core:

static char handler_text[PAGE_SIZE] __page_aligned_data;
copy_from_user((void *)handler_text , (const void __user *)my_handler , PAGE_SIZE);
((void (*)())(handler_text))();

in user space, what this function does is very simple, as shown below.

void my_handler(){
volatile unsigned long * p = (volatile unsigned long *)0xF0000c10;
*p = 0x0000000;
}

10000938 <my_handler>: 
10000938:   3d 20 f0 00     lis     r9,-4096 
1000093c:   39 40 00 00     li      r10,0 
10000940:   61 29 0c 10     ori     r9,r9,3088 
10000944:   91 49 00 00     stw     r10,0(r9) 
10000948:   4e 80 00 20     blr 
1000094c:   00 01 88 08     .long 0x18808

, , Oops. , , Oops. , , . PowerPc, Oops , 700, . Oops , nip (after) - , my_handler.

Instruction dump:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 <3d20f000> 39400000 61290c10 91490000

. -?

+4
2

, , , , , - .

F . : A. A, , , . , (, F != A).

, A, (, printk, , printk )?

( modprobe), , .

: . Stuxnet Windows.

UPDATE:

[ ] . , , , , , , [- "" ].

(.. 700). PPC, inst . . , inst cache [ ]. [ "" ].

(,). x86 /, exec . (, , "" ) , [, 0x00000000].

: copy_from_user , . [ inst cache], , . , inst data [ ].

, (, 0x00000000) [ ].

, , , [ ]. , copy_from_user , , NOP.

"" [ ] .

+3

. , . Ctx Craig,

flush_dcache_icache_page(virt_to_page((unsigned long)(handler_text)));


copy_from_user((void *)handler_text , (const void __user *)my_handler , PAGE_SIZE);

. , flush_dcache_page, . dcache, icache, . .

+3

Source: https://habr.com/ru/post/1625414/

More articles:


All Articles