百度空间 | 百度首页 
 
查看文章
  
新内核中较重要的一个选项
2009-07-07 16:35
因为这个选项, /dev/mem类型的rootkit很可能会再次发挥作用,它默认是没开启的。。。

kernel hacking -> Filter access to /dev/mem

不过rhel系列的内核已经开启了这个选项,所以还是很安全的。 大于1m的物理内存是不能被映射的, 因此想读内核空间是不可能的。

重新升级内核到2.6.30, 没开启filter选项, 又可以读写内核空间了。。。

看下代码/drivers/char/mem.c:

/*
* This funcion reads the *physical* memory. The f_pos points directly to the
* memory location.
*/
static ssize_t read_mem(struct file * file, char __user * buf,
                        size_t count, loff_t *ppos)
{
...
        while (count > 0) {
                /*
                 * Handle first page in case it's not aligned
                 */
                if (-p & (PAGE_SIZE - 1))
                        sz = -p & (PAGE_SIZE - 1);
                else
                        sz = PAGE_SIZE;

                sz = min_t(unsigned long, sz, count);

                if (!range_is_allowed(p >> PAGE_SHIFT, count))
                        return -EPERM;
....

}

>> range_is_allowed

#ifdef CONFIG_STRICT_DEVMEM
static inline int range_is_allowed(unsigned long pfn, unsigned long size)
{
        u64 from = ((u64)pfn) << PAGE_SHIFT;
        u64 to = from + size;
        u64 cursor = from;

        while (cursor < to) {
                if (!devmem_is_allowed(pfn)) {
                        printk(KERN_INFO
                "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
                                current->comm, from, to);
                        return 0;
                }
                cursor += PAGE_SIZE;
                pfn++;
        }
        return 1;
}
#else
static inline int range_is_allowed(unsigned long pfn, unsigned long size)
{
        return 1;
}
#endif

>> devmem_is_allowed
/*
 * devmem_is_allowed() checks to see if /dev/mem access to a certain address is
 * valid. The argument is a physical page number.
 *
 *
 * On x86-64, access has to be given to the first megabyte of ram because that area
 * contains bios code and data regions used by X and dosemu and similar apps.
 * Access has to be given to non-kernel-ram areas as well, these contain the PCI
 * mmio resources as well as potential bios/acpi data regions.
 */
int devmem_is_allowed(unsigned long pagenr)
{
        if (pagenr <= 256)
                return 1;
        if (!page_is_ram(pagenr))
                return 1;
        return 0;
}

类别:Rootkit | 添加到搜藏 | 浏览() | 评论 (1)
 
最近读者:
 
网友评论:
2
2009-11-20 11:13 | 回复
我晕,2.6.28是反的。。。
#ifdef CONFIG_STRICT_DEVMEM
/* This check is done in drivers/char/mem.c in case of STRICT_DEVMEM*/
static inline int range_is_allowed(unsigned long pfn, unsigned long size)
{
return 1;
}
#else
/* This check is needed to avoid cache aliasing when PAT is enabled */
static inline int range_is_allowed(unsigned long pfn, unsigned long size)
{
......
while (cursor < to) {
   if (!devmem_is_allowed(pfn)) {
    printk(KERN_INFO
   "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
     current->comm, from, to);
    return 0;
   }
.....
return 1;
}
#endif /* CONFIG_STRICT_DEVMEM */
 
发表评论:
姓 名:
网址或邮箱: (选填)
内 容:
验证码: 请点击后输入四位验证码,字母不区分大小写
      

     

©2009 Baidu