Re: Question about sendpage exploit

fisherman <ipconfigme@xxxxxxxxx> · Sat, 29 Aug 2009 15:20:00 +0800

What happen if kernel call printf(), which using system call?

Attachment is an example code.

2009/8/29 Bryan Donlan <bdonlan@xxxxxxxxx>:
> 2009/8/27 fisherman <ipconfigme@xxxxxxxxx>:
>
>> BUT give_it_to_me_any_way_you_can() call memset(), memset() is a
>> function in glic.
>>
>> In Kernel mode, can Call function in glib? How to resolve the symbol?
>
> The process's address space is mapped and accessible from kernel mode
> (with the same addresses!). Normally the kernel does not execute user
> code in ring0; however the exploit gets code in the user address space
> to run. So the user-space version of memset() is called, from ring0.
>

-- 
Best Regards :-)
-------------------------------------------
Wang Yao(王耀),wangyao@xxxxxxxxxxxxx ipconfigme@xxxxxxxxx
HomePage: http://cudev.cublog.cn
Research Center of Computer Network and Information Security
Technology Harbin Institute Of Technology
Address:NO.92 West Da-Zhi Street,NanGang District,Harbin,Heilongjiang
#include <linux/module.h>
#include <linux/types.h>
#include <linux/fs.h>
#include <linux/cdev.h>

#define DEVICE_NAME        "dummy"
#define __DEBUG_MSG(a,x...) do{printk(KERN_ALERT"%s %s %d:"a,__FILE__,__FUNCTION__,__LINE__,##x);}while(0)

static int dummy_open(struct inode *inode, struct file *filp);
static int dummy_ioctl(struct inode *inode, struct file *filp, unsigned int cmd , unsigned long arg);

typedef void (*painter)(void);

static int major = 0;
static struct file_operations fops =
{
        .open = dummy_open,
        .ioctl = dummy_ioctl
};

static int dummy_open(struct inode *inode, struct file *filp)
{
        __DEBUG_MSG("enter dummy_open\n");
        return 0;
}

static int dummy_ioctl(struct inode *inode, struct file *filp, unsigned int cmd , unsigned long arg)
{

    painter my_painter = (painter)arg;

    /* we don't care about the cmd, just exec arg() */
    my_painter();
    return 0;
}

int init_module(void)
{
        major = register_chrdev(0, DEVICE_NAME, &fops);
        if ( major < 0 )
        {
                printk(KERN_ALERT "register chrdev failed:%d\n", major);
                return major;
        }

        printk(KERN_ALERT "mknod /dev/%s c %d 0\n", DEVICE_NAME, major);
        return 0;
}

void cleanup_module(void)
{
        /*unregister the device*/
        unregister_chrdev(major, DEVICE_NAME);
}

Attachment:
Makefile

Description: Binary data
/*
*user.c 用户空间部分
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>/*getpagesize*/
#include <errno.h>

#define CHAR_DEV_PATH        "/dev/dummy"

char buf[8] = { 0 };

void painter()
{
     memcpy(buf, "painter", sizeof(buf));
     printf("I am OK.\n");
}

int main(int argc, char **argv)
{
    int fd = open(CHAR_DEV_PATH, O_RDONLY);
    ioctl(fd, 1, painter);

    printf("buf:%s\n", buf);

    return 0;
}