[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Page Fault Handler Hijacking and Oops

To: kernelnewbies@xxxxxxxxxxxx
Subject: Re: Page Fault Handler Hijacking and Oops
From: Vincenzo Mallozzi <vinjunior@xxxxxxxx>
Date: Thu, 4 Aug 2005 16:14:17 +0000
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.it; h=Received:From:To:Subject:Date:User-Agent:References:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-Disposition:Message-Id; b=ClY6sdCjWMGHWTPuDLpsjHmcxcwEQx3xDlPEjHnyDc1S/sDGrt/JGagJW117BlXVPb+RkXK0ib3DdibqsoQZ68jkljbs7NxLqrkmuwhfHjIBPm5o74arwarGyRBj6+DWd7sGeJT+2OW6w9pVPFZHeezvvsfoXN1WWwyWeK8OFJw= ;
In-reply-to: <1123163051.3318.25.camel@laptopd505.fenrus.org>
List-archive: <http://mail.nl.linux.org/kernelnewbies/>
List-help: <mailto:ecartis@nl.linux.org?Subject=help>
List-id: <kernelnewbies.nl.linux.org>
List-owner: <mailto:ecartis-owner@nl.linux.org>
List-post: <mailto:kernelnewbies@nl.linux.org>
List-software: Ecartis version 1.0.0
List-subscribe: <mailto:kernelnewbies-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:kernelnewbies-request@nl.linux.org?Subject=unsubscribe>
References: <200508032259.10499.vinjunior@yahoo.it> <1123163051.3318.25.camel@laptopd505.fenrus.org>
Sender: kernelnewbies-bounce@xxxxxxxxxxxx
User-agent: KMail/1.7.2

Alle 13:44, giovedì 4 agosto 2005, Arjan van de Ven ha scritto:
> On Wed, 2005-08-03 at 22:59 +0000, Vincenzo Mallozzi wrote:
> > Hi all,
> > in LKM I've implemented, I hijack the page fault handler with a function 
that 
> > first scans a list created by me and then call the original page fault 
> > handler.
> 
> 
> you forgot to attach your sourcecode.
> 

I've attached some pieces of my source code in a previous email. I reattach it 
below.

The data structures used are the following:
 
 1.  struct mtpmc_wrprotected_pages{
 2.   unsigned long address;
 3.   struct mtpmc_wrprotected_pages *next_page;
 4.  };
 5.
 6.  struct mtpmc_vm_wrprotected{
 7.   unsigned long vm_start;
 8.   unsigned long vm_end;
 9.  
10.   struct mtpmc_wrprotected_pages *pages;
11.   struct mtpmc_vm_wrprotected *vm_next;
12.  };
13.  
14.  static struct mtpmc_vm_wrprotected *mtpmc_mm_wrprotected;

in which I records the vmas and the corresponding pages that I've 
write-protected.
Now I post also the other pieces of code I'm using:

The exception handler function hijacked:

15.  static asmlinkage void mtpmc_handler(struct pt_regs * regs,
    long  error_code)
16.  {
17.   unsigned long address;
18.   struct mm_struct *mm;
19.   struct mtpmc_address_fault *temp;
20.  
21.   unsigned long pid = current->pid;
22.   int hijack = 0;
23.    
24.   /* store the old_exception handler pointer in mtpmc_old_int_handler */
25.   void (*mtpmc_old_int_handler)(struct pt_regs *,long) =                  
                                            (void*)mtpmc_old_handler;
26.    
27.   /* get the address */
28.   __asm__("movl %%cr2,%0":"=r" (address));
29.  
30.   mm = current->mm;
31.   if ((current->pid>=mtpmc_min_pid) && (current->pid<=mtpmc_max_pid))
32.    if ((error_code & 3) == 3)
33.     if (mtpmc_protected_by_us(address) == 1) /*ERROR IN CALLING THIS 
        FUNCTION*/
34.     {
35.      send_sig(SIGSTOP, current, 1);
36.      hijack = 1;*/
37.     }
38.   
39.   if (hijack != 1)
40.    (*mtpmc_old_int_handler)(regs,error_code);/*call the original handler*/
41.   
42.   return;
43.  }


The line that causes the error is the 33.th, when during the call to the 
mtpmc_protected_by_us() function. This function scan the list created by me 
in which I store the value of memory pages write-protected by me.

44.  #define INSIDE(a, b, c)  ( ((c) <= (b)) && ((c) >= (a)) )
45.  
46.  int mtpmc_protected_by_us(unsigned long addr)
47.  {
48.   struct mtpmc_vm_wrprotected *wr_vma;
49.   struct mtpmc_wrprotected_pages *wr_page;
50.  
51.   for (wr_vma=mtpmc_mm_wrprotected; wr_vma!=NULL; wr_vma=wr_vma->vm_next)
52.    if (INSIDE(wr_vma->vm_start, wr_vma->vm_end, addr)){
53.     for (wr_page=wr_vma->pages; wr_page!=NULL; wr_page=wr_page->next_page)
54.      if ((addr >= wr_page->address) && (addr <(wr_page->address + 
         PAGE_SIZE)))
55.       return 1;
56.     return 0;      
57.    } 
58.   
59.   return 0;
60.  }

I hope these are not too much lines of code and that I've well explained them. 
Thanks.
VM





___________________________________
Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB
http://mail.yahoo.it


--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive:       http://mail.nl.linux.org/kernelnewbies/
FAQ:           http://kernelnewbies.org/faq/

Follow-Ups:
- Re: Page Fault Handler Hijacking and Oops
  - From: Arjan van de Ven

References:
- Page Fault Handler Hijacking and Oops
  - From: Vincenzo Mallozzi
- Re: Page Fault Handler Hijacking and Oops
  - From: Arjan van de Ven

Prev by Date: Re: kernel_thread from interrupt service routine
Next by Date: Re: Page Fault Handler Hijacking and Oops
Previous by thread: Re: Page Fault Handler Hijacking and Oops
Next by thread: Re: Page Fault Handler Hijacking and Oops
Index(es):
- Date
- Thread