How the Linux kernel breaks into the process address space and modifies the process memory

Isolation of process address spaces is a notable feature of modern operating systems. This is also a distinctive feature that distinguishes it from "ancient" operating systems.

Process address space isolation means that process P1 cannot access the memory of process P2 in an arbitrary manner unless the memory is declared shared.

This is very easy to understand. Let me give you an example.

We know that in primitive savage society, there is no concept of family. All resources are shared within the tribe, and all savages can interact with any other savages in any way and at any time. This is the case with operating systems like DOS, where the memory address space is not isolated. Processes can freely access the memory of other processes.

Later, with the emergence of the concept of family, family resources were isolated and people could no longer break into other people's homes. People could no longer enter other people's homes and take other people's things in a casual manner unless the owner allowed it. After the operating system entered the modern mode, the process also had a concept similar to that of a family.

But the concept of family is virtual, people just abide by the agreement and not destroy other people's families. The house acts as a physical infrastructure that protects the family. In an operating system, the home is analogous to the virtual address space, and the house is the page table.

Neighbors can't break into your house, but the police can, and so can government officials with reasonable grounds. The so-called privileged management agencies can enter ordinary people's houses and touch the family's belongings as long as they have sufficient reasons. For an operating system, this is what the kernel can do, and the kernel can access the address space of any process.

Of course, the kernel will not break into people's homes without reason, just like the police will not break into other people's homes without reason.

However, you can have the kernel do this intentionally, to do something rogue.

Let's try it out and look at a program first:

//test.c
// gcc test.c -o test
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/mman.h>

int main()
{
  char* addr = mmap(NULL, 1024, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
  strcpy(addr, "Zhejiang wenzhou pixie shi");

  printf("addr: %lu pid:%d\n", addr, getpid());

  printf("before:%s \n", addr);

 getchar();

  printf("after:%s\n", addr);

  return 0;
}

The output of this program is very simple. Both before and after will output "Zhejiang wenzhou pixie shi". But we want to change this sentence. What should we do? Obviously, if the test process does not modify it itself, there is nothing we can do... But we can force the kernel to modify it, just like breaking into a private house.

Next I write a kernel module:

//test.c
// make -C /lib/modules/`uname -r`/build SUBDIRS=`pwd` modules
#include <linux/mm.h>
#include <linux/sched.h>
#include <linux/module.h>

static int pid = 1;
module_param(pid, int, 0644);

static unsigned long addr = 0;
module_param(addr, long, 0644);

// Finding the page table of a process based on its virtual address is equivalent to finding the address of the family's house and then breaking in!
static pte_t* get_pte(struct task_struct *task, unsigned long address)
{
 pgd_t* pgd;
 pud_t* pud;
 pmd_t* pmd;
 pte_t* pte;
 struct mm_struct *mm = task->mm;

 pgd = pgd_offset(mm, address);
 if(pgd_none(*pgd) || pgd_bad(*pgd))
 return NULL;

 pud = pud_offset(pgd, address);
 if(pud_none(*pud) || pud_bad(*pud))
 return NULL;

 pmd = pmd_offset(pud, address);
 if(pmd_none(*pmd) || pmd_bad(*pmd))
 return NULL;

 pte = pte_offset_kernel(pmd, address);
 if (pte_none(*pte))
 return NULL;

 return pte;
}

static int test_init(void)
{
 struct task_struct *task;
 pte_t* pte;
 struct page* page;

 // Find this family task = pid_task(find_pid_ns(pid, &init_pid_ns), PIDTYPE_PID);
 // Find out where this family lives if(!(pte = get_pte(task, addr)))
 return -1;

 page = pte_page(*pte);
 // Break in by force addr = page_address(page);
 //sdajgdoiewhgikwnsviwgvwgvw
 strcpy(addr, (char *)"rain flooding water will not get fat!");
 // After the work is done, leave, hiding your achievements and fame return 0;
}

static void test_exit(void)
{
}

module_init(test_init);
module_exit(test_exit);
MODULE_LICENSE("GPL");

Come on, let's try it:

[root@10 page_replace]# ./test
addr: 140338535763968 pid:9912
before:Zhejiang wenzhou pixie shi

At this point, we load the kernel module test.ko

[root@10 test]# insmod test.ko pid=9912 addr=140338535763968
[root@10 test]#

Press Enter in the test process:

[root@10 page_replace]# ./test
addr: 140338535763968 pid:9912
before:Zhejiang wenzhou pixie shi

after:rain flooding water will not get fat!
[root@10 page_replace]#

Apparently, "your leather shoes get wet in Wenzhou, Zhejiang" has been changed to "you won't get fat if it rains and gets soaked."

Look carefully at the get_pte function of the kernel module above. To write this function correctly, you must have a certain understanding of the MMU of the machine where the process you want to ravage is located, such as whether it is a 32-bit system or a 64-bit system, and whether it is a 3-level page table, a 4-level page table, or a 5-level page table? this…

The fun of Linux lies in the fact that you can do it yourself or have someone else do it for you. For example, the physical page indicated by the page table entry of the virtual address of a process can be obtained directly.

Is there such an API? Yes, don't forget that everything is a file. In the proc file system, there is such a file:

/proc/$pid/pagemap

Reading this file, we get the page table entry of the process virtual address. The following figure is taken from the kernel Doc:

Documentation/vm/pagemap.txt

Virtual address space is per process, while physical address space is shared by all processes. In other words, physical addresses are global.

Now, according to the explanation of Documentation/vm/pagemap.txt, write a program to get the global physical address of any virtual address of any process:

// getphys.c
// gcc getphys -o getphys
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
 int fd;
 int pid;
 unsigned long pte;
 unsigned long addr;
 unsigned long phy_addr;
 char procbuf[64] = {0};

 pid = atoi(argv[1]);
 addr = atol(argv[2]);

 sprintf(procbuf, "/proc/%d/pagemap", pid);

 fd = open(procbuf, O_RDONLY);
 size_t offset = (addr/4096) * sizeof(unsigned long);
 lseek(fd, offset, SEEK_SET);

 read(fd, &pte, sizeof(unsigned long));

 phy_addr = (pte & ((((unsigned long)1) << 55) - 1))*4096 + addr%4096;
 printf("phy addr:%lu\n", phy_addr);

 return 0;
}

Then, we modify the kernel module:

#include <linux/module.h>

static unsigned long addr = 0;
module_param(addr, long, 0644);

static int test_init(void)
{
 strcpy(phys_to_virt(addr), (char *)"rain flooding water will not get fat!");
 return 0;
}

static void test_exit(void)
{
}

module_init(test_init);
module_exit(test_exit);

MODULE_LICENSE("GPL");

Run test first, then use the output of test as the input of getphys, and then use the output of getphys as the input of the kernel module test.ko, and you're done. Do you remember? Isn't this the style of piping multiple programs?

Enter a physical address and change it, that's it. The operation of obtaining the page table through the virtual address has been replaced by reading and parsing the pagemap file in user mode.

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.