对ARM中的内存页面禁用写保护 [英] Disable write protection for memory pages in ARM
问题描述
我已经研究了禁用linux内核文本写保护的主题,并且我只能找到x86 linux的解决方案,该解决方案是暂时清除cr0寄存器的第16位,写入内存,然后设置cr0寄存器的第16位.但是,这不适用于ARMv6及更高版本.此页面内的示例: Linux内核:系统调用挂钩示例.
I've researched on the topic for disabling of write protection on kernel text on linux, and I can only find solutions for x86 linux, which is temporarily clearing bit 16 of the cr0 register, write to the memory, and then setting bit 16 of the cr0 register again. However, this does not work for ARMv6 and above. An example of this is within this page: Linux Kernel: System call hooking example.
cr0寄存器在ARM体系结构中不存在,并且链接答案中所述的一些功能(如lookup_address,change_page_attr等)也不在ARM中.我尝试了ARM中存在的解决方案,例如set_memory_rw(什么都没有改变,写入内核文本仍然会导致oops),mem_text_write_kernel_word(写入内核文本仍然会导致oops)等.
cr0 register is not present within the ARM architecture, and a few of the functions stated within the answers from the link, like lookup_address, change_page_attr etc. aren't present within ARM as well. I tried the solutions present within ARM, like set_memory_rw (which didn't change anything, writing to kernel text still causes oops), mem_text_write_kernel_word (writing to kernel text still causes oops), etc.
oops日志示例(为演示而格式化):
Example of oops log (formatted for presentation):
<3>[ 239.987689] RKP -> Inst bf3e0098 out of cpu_v7_set_pte_ext range\
from c01159c4 to c0115a1c
<1>[ 239.988079] Unable to handle kernel paging request at virtual\
address c01c1d50
<1>[ 239.988123] pgd = ea8e4000
<1>[ 239.988280] [c01c1d50] *pgd=0da00011
<0>[ 239.988377] Internal error: Oops: 80f [#1] PREEMPT SMP ARM
<4>[ 239.988416] Modules linked in: my_mod(O+) wlan(PO) mhi(O)
<4>[ 239.988469] CPU: 0 PID: 5443 Comm: insmod \
Tainted: P W O 3.10.0-2413392 #1
<4>[ 239.988521] task: e4af4ec0 ti: da95a000 task.ti: da95a000
<4>[ 239.988565] PC is at my_mod_init+0x98/0x1000 [my_mod]
<4>[ 239.988605] LR is at my_mod_init+0x8c/0x1000 [my_mod]
[snip]
<4>[ 239.994032] [<bf3e0098>] (my_mod_init+0x98/0x1000 [my_mod]) from\
[<c010065c>] (do_one_initcall+0xcc/0x180)
<4>[ 239.994107] [<c010065c>] (do_one_initcall+0xcc/0x180) from\
[<c01c524c>] (load_module+0x1c98/0x1fc0)
<4>[ 239.994174] [<c01c524c>] (load_module+0x1c98/0x1fc0) from\
[<c01c5670>] (SyS_init_module+0xfc/0x11c)
<4>[ 239.994240] [<c01c5670>] (SyS_init_module+0xfc/0x11c) from\
[<c0106328>] (__sys_trace_return+0x0/0x18)
<0>[ 239.994303] Code: ebffebdc e59f202c e1a00004 e59f3028 (e5832d50)
<4>[ 239.994580] ---[ end trace dec6997083161644 ]---
<0>[ 239.994618] Kernel panic - not syncing: Fatal exception
即使尝试注册kprobe也会导致内核故障:
Even trying to register a kprobe causes kernel oops:
<3>[ 184.769314] RKP -> Inst c0abe2a0 out of cpu_v7_set_pte_ext\
range from c01159c4 to c0115a1c
<1>[ 184.769369] Unable to handle kernel paging request at\
virtual address c0170ce4
<1>[ 184.769416] pgd = dc828000
<1>[ 184.769439] [c0170ce4] *pgd=0da00011
<0>[ 184.769535] Internal error: Oops: 80f [#1] PREEMPT SMP ARM
<4>[ 184.769572] Modules linked in: kp_mod(O+) wlan(PO) mhi(O)
<4>[ 184.769620] CPU: 0 PID: 5835 Comm: insmod \
Tainted: P W O 3.10.0-2413392 #1
<4>[ 184.769665] task: ea0cf8c0 ti: de9a0000 task.ti: de9a0000
<4>[ 184.769706] PC is at __patch_text+0x24/0x3c
<4>[ 184.769734] LR is at __patch_text+0x1c/0x3c
[snip]
<4>[ 184.776127] [<c0abe2a0>] (__patch_text+0x24/0x3c) from\
[<c0abf000>] (arm_kprobe+0x24/0x34)
<4>[ 184.776188] [<c0abf000>] (arm_kprobe+0x24/0x34) from\
[<c0ac03d8>] (register_kprobe+0x4f0/0x58c)
<4>[ 184.776256] [<c0ac03d8>] (register_kprobe+0x4f0/0x58c) from\
[<bf3e0010>] (kprobe_init+0x10/0x1000 [kp_mod])
<4>[ 184.776325] [<bf3e0010>] (kprobe_init+0x10/0x1000 [kp_mod]) from\
[<c010065c>] (do_one_initcall+0xcc/0x180)
<4>[ 184.776391] [<c010065c>] (do_one_initcall+0xcc/0x180) from\
[<c01c524c>] (load_module+0x1c98/0x1fc0)
<4>[ 184.776450] [<c01c524c>] (load_module+0x1c98/0x1fc0) from\
[<c01c5670>] (SyS_init_module+0xfc/0x11c)
<4>[ 184.776508] [<c01c5670>] (SyS_init_module+0xfc/0x11c) from\
[<c0106328>] (__sys_trace_return+0x0/0x18)
<0>[ 184.776563] Code: e1a00004 ebd9561f e1a01004 e1a00004 (e4815004)
<4>[ 184.776608] ---[ end trace dec6997083161644 ]---
<0>[ 184.776642] Kernel panic - not syncing: Fatal exception
在这方面有经验的人可以阐明这个问题吗?
Can someone experienced in this area shed some light on this issue?
推荐答案
在挂接sys_call_table之前调用set_kernel_text_rw()
call set_kernel_text_rw() before hook sys_call_table
Linux内核中set_kernel_text_rw()函数的路径arch \ arm \ mm \ init.c
the path of set_kernel_text_rw() function in the linux kernel arch\arm\mm\init.c
这篇关于对ARM中的内存页面禁用写保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
