控制内核中的函数指针
[英]control a function pointer in the kernel
问题描述
If I have controlled a function pointer in the kernel pointing to somewhere I want, let's make it point to my own designed function evil in the user land. 
如果我在内核中控制了指向我想要的某个地方的函数指针,那么让它指向用户领域中我自己设计的函数是evil的。
err = writepage(page) //->writepage is a kernel function pointer pointing to a evil in the userland
There is only a printf in evil , will there be kernel panic if the kernel dereferences that function pointer? evil只有一个printf ,如果内核取消引用该函数指针,会不会出现内核崩溃? Since evil runs in the kernel mode (correct me if I'm wrong), but kernel does not what printf is. 由于evil以内核模式运行(如果我错了,请纠正我),但是内核不是printf 。
int evil() {
printf("I don't think printf will be executed because evil is executed is kernel mode")
}
1 个解决方案
解决方案1
4 已采纳 2015-10-22 14:10:35
The kernel never sees " printf "; 内核永远不会看到“ printf ”。 it sees a call to a different address, just like the program doesn't call that function by its name, but sets up registers containing parameters accordingly and calls that function. 它会看到对另一个地址的调用,就像程序没有按其名称调用该函数一样,而是相应地设置包含参数的寄存器并调用该函数。
That won't work, because the address that the printf call points to is relative to the userland process' memory, and doesn't exist in kernel memory. 那是行不通的,因为printf调用指向的地址是相对于userland进程的内存的,并且不存在于内核内存中。
You have to realize that processes run in a virtual memory of their own -- none of the addresses used in a program need to make sense for a different process. 您必须认识到进程在它们自己的虚拟内存中运行-程序中使用的地址都不需要为其他进程有意义。
So you can't even just call a function in a userland process; 因此,您甚至不能只在用户层进程中调用函数; you'd first have to find out where that is in memory as the kernel sees it, and then call it. 您首先必须找出内核在内存中的位置,然后再调用它。 Of course, it'd then run in kernel mode, but that's not surprising -- no sane OS would allow a userland process to bend internal function calls in that manner. 当然,它随后将在内核模式下运行,但这并不令人惊讶-明智的OS不允许用户级进程以这种方式弯曲内部函数调用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.