embedded systems 2/7jmfriedt.free.fr/master2ese_1eng.pdf · embedded systems 2/7 j.-m friedt...
TRANSCRIPT
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Embedded systems 2/7
J.-M Friedt
FEMTO-ST/departement temps-frequence
slides at jmfriedt.free.fr
September 9, 2020
1 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Operating system: the need fordrivers
• Hardware abstraction: hide low level functions so that the developercan focus on the functionalities provided by the peripheral→ a single entry point providing system calls (open, read, write,close) hiding access to hardware
• Homogeneous interface to all peripherals (“Everything is a file”)
• Only the kernel can access hardware resources (DMA, interrupts)
• Share resources and make sure only one process can access a givenhardware function
• Add functionalities to the Linux kernel: modules
2 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Virtual memory/hardware memoryHardware memory addressing• hardware memory: a value on the address bus identifies which
peripheral is active• each peripheral decodes the address bus to detect whether it is the
target of a message• only one peripheral must match a given physical address (otherwise,
conflict)Virtual memory addressing• each process has its own address space• memory organization independent of physical constraints• dynamic loading binaries and associated libraries• MMU: translates between hardware and virtual memory addresses
Virtual organization (process)
Page 3
Page 2
Page 1
Page N
4096
page & 0x00..0fff
page & 0xff..f000
Page 3
Page 2
Page 1
Page N
4096
page & 0x00..0fff
page & 0xff..f000
Physical organization (CPU)
3 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Hardware access from userspaceThrough /dev/mem
• advantage: not going through kernel abstraction layers (fast)
• drawback: not going through kernel abstraction layers (no handlingof concurrent memory access)
#i n c l u d e < f c n t l . h>#i n c l u d e <s y s /mman . h>#d e f i n e MAP SIZE 4096UL // MMU page s i z e#d e f i n e MAP MASK ( MAP SIZE−1) // mask
i n t main ( i n t argc , c h a r ∗∗ a r g v ) {i n t f d ; v o i d ∗map base , ∗ v i r t a d d r ;u n s i g n e d l o n g r e a d r e s u l t , w r i t e v a l ;o f f t t a r g e t =0x12345678 ; // p h y s i c a l @f d = open ( "/dev/mem" , O RDWR | O SYNC) ; // MMU a c c e s smap base=mmap( 0 , MAP SIZE , PROT READ | PROT WRITE , \
MAP SHARED, fd , t a r g e t & ˜MAP MASK) ;v i r t a d d r=map base+( t a r g e t & MAP MASK) ; // v i r t . @r e a d r e s u l t =∗(( u n s i g n e d l o n g ∗) v i r t a d d r ) ; // r e a d memp r i n t f ( "0x%X (%p): 0x%X\n" , t a r g e t , v i r t a d d r , r e a d r e s u l t ) ;// ∗ ( ( u n s i g n e d l o n g ∗) v i r t a d d r ) = w r i t e v a l ; // w r i t emunmap( map base , MAP SIZE ) ; c l o s e ( f d ) ; r e t u r n 0 ;
}4 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
The devmem tool
• Fast prototyping when accessing processor registers
• Available in busybox1
• Use:
Read/write from physical address
ADDRESS Address to act upon
WIDTH Width (8/16/...)
VALUE Data to be written
1$BUILDROOT/output/build/busybox-1.30.1/miscutils/devmem.c5 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Hardware access from the kernel
• Userspace: mmap on the /dev/mem pseudo-file
• Kernel space: ioremap function after requesting the address rangeused by the peripheral
#i n c l u d e < l i n u x / i o . h> // ioremap#d e f i n e IO BASE 0 xe000a000 // UG585 p . 1 3 4 7
and in the initialization function
i f ( r e q u e s t m e m r e g i o n ( IO BASE , 0 x2e4 , "GPIO test" )==NULL)p r i n t k (KERN ALERT "mem request failed" ) ;
j m f g p i o =(u32 ) ioremap ( IO BASE , 0 x2e4 ) ; // UG585 p . 1 3 4 9w r i t e l (1<<9, j m f g p i o +0x204 ) ; // d i r . o f MIO9
To free the resource:r e l e a s e m e m r e g i o n ( IO BASE , 0 x2e4 ) ;
Check if the requested memory range is available (otherwise, kernelpanic)
6 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Basic kernel module structureKernel module = “plugin” requiring strarting and ending functions
#i n c l u d e < l i n u x / module . h> /∗ Needed by a l l modules ∗/#i n c l u d e < l i n u x / k e r n e l . h> /∗ Needed f o r KERN INFO ∗/#i n c l u d e < l i n u x / i n i t . h> /∗ Needed f o r t h e macros ∗/
i n t h e l l o s t a r t ( v o i d ) ;v o i d h e l l o e n d ( v o i d ) ;
i n t h e l l o s t a r t ( ) // i n i t m o d u l e ( v o i d ){ p r i n t k (KERN INFO "Hello\n" ) ;
r e t u r n 0 ;}
v o i d h e l l o e n d ( ) // c l e a n u p m o d u l e ( v o i d ){ p r i n t k (KERN INFO "Goodbye\n" ) ;}
m o d u l e i n i t ( h e l l o s t a r t ) ;m o d u l e e x i t ( h e l l o e n d ) ;
No printf (write to /var/log/messages with printk accessible withdmesg), no floating point operation, no file operations.
7 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Kernel module compilation
A kernel module must link to the running kernel:
• requires kernel sources ($BR/output/build/linux*) or at leastconfigured headers (linux-headers-X.Y.Z-amd64 onDebian/GNU Linux)
• dedicated Makefile calling the Linux kernel Makefile modules
method on PC:
obj−m += mymod . oa l l :
make −C / l i b / modules /$ ( s h e l l uname −r ) / b u i l d \M=$ (PWD) modules
or for cross-compiling, linking to the Buildroot $BR
obj−m +=mymod . oa l l :
make ARCH=arm CROSS COMPILE=arm−l i n u x − \−C $ (BR) / output / b u i l d / l i n u x −XXX \M=$ (PWD) modules
8 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Communicating from userspacewith the kernel
Through /dev
• write, read, or control (ioctl)
• each kernel module implements its own answer to the system calls
• each peripheral is identified by its class (major number) and itsindex (minor number)
brw-rw---- 1 root disk 8, 0 Feb 28 06:21 sda
brw-rw---- 1 root disk 8, 1 Feb 28 06:21 sda1
brw-rw---- 1 root disk 8, 2 Feb 28 06:21 sda2
brw-rw---- 1 root disk 8, 3 Feb 28 06:21 sda3
[...]
crw-rw---- 1 root dialout 4, 64 Feb 28 07:21 ttyS0
crw-rw---- 1 root dialout 4, 65 Feb 28 07:21 ttyS1
crw-rw---- 1 root dialout 4, 66 Feb 28 07:21 ttyS2
crw-rw---- 1 root dialout 4, 67 Feb 28 07:21 ttyS3
In case an entry is missing (e.g. created by udev) in /dev : mknod
9 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Architecture of a POSIX 2
compliant OS
(scheduler, interrupts, timers ...)
applications
Monolithic kernel
Userspace
Module 3
(fs)
/dev/ttyUSB /dev/partport0
system fonctions, networking, process scheduling and memory sharing, vfs
(libc)
Module 1
(USB)
Module 2
(GPIO)
2/dev directory:pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap10.html
10 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
The /dev directory• includes pseudo-files linking the kernel with the user space
• each device is defined with a major number and, within each class,a minor number
• on the kernel side, a driver links to the same major number andprovides implementations of the system calls
• open()• close()• write()• read()• ioctl()
s t a t i c s t r u c t f i l e o p e r a t i o n s f o p s={ . r e a d : qadc read ,
. open : qadc open ,
. u n l o c k e d i o c t l : q a d c i o c t l ,
. r e l e a s e : q a d c r e l e a s e ,// no . w r i t e on an ADC !} ;
s t a t i c i n t i n i t q a d c i n i t ( v o i d ){ . . .
r e g i s t e r c h r d e v ( qadc major , "ppp"→↪→ , &f o p s ) ;
. . . }
m o d u l e i n i t ( q a d c i n i t ) ;m o d u l e e x i t ( q a d c e x i t ) ;
11 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Input/Output Control (ioctl)• mechanism breaking the “Everything is a file” philosophy• configures a peripheral by providing “what” index and as an
argument the “value”• no standardized command: the header file common to the driver
and the userspace program provides the list of IOCTL calls• example: OSS (Open Sound System 3) ininclude/uapi/linux/soundcard.h of the kernel source:/∗ Use i o c t l ( fd , OSS GETVERSION , &i n t ) to g e t t h e
v e r s i o n number o f t h e c u r r e n t l y a c t i v e d r i v e r . ∗/. . ./∗ IOCTL commands f o r / dev / dsp and / dev / a u d i o∗/
#d e f i n e SNDCTL DSP RESET SIO ( ’P’ , 0)#d e f i n e SNDCTL DSP SYNC SIO ( ’P’ , 1)#d e f i n e SNDCTL DSP SPEED SIOWR( ’P’ , 2 , i n t )#d e f i n e SNDCTL DSP STEREO SIOWR( ’P’ , 3 , i n t ). . .
• Userspace:s a m p l e r a t e = 48000;i f ( i o c t l ( fd , SNDCTL DSP SPEED , &s a m p l e r a t e ) == −1)
{ p e r r o r ( "SNDCTL_DSP_SPEED" ) ; e x i t (−1) ;}3http://www.linuxdevcenter.com/pub/a/linux/2007/08/02/
an-introduction-to-linux-audio.html 12 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
IOCTL: kernels t a t i c l o n g d e v i o c t l ( s t r u c t f i l e ∗ , u n s i g n e d i n t , u n s i g n e d →
↪→ l o n g ) ;
s t a t i c s t r u c t f i l e o p e r a t i o n s f o p s={ . r e a d=d e v r e a d ,
. open=dev open ,
. u n l o c k e d i o c t l=d e v i o c t l ,
. w r i t e=d e v w r i t e ,
. r e l e a s e=d e v r l s , } ;
s t a t i c l o n g d e v i o c t l ( s t r u c t f i l e ∗ f , u n s i g n e d i n t cmd , →↪→u n s i g n e d l o n g a r g )
{ s t a t i c c h a r v a r [ 1 0 ] ; // DON ’T r e a d a r g which i s l o c a t e di n t dummy ; // . . . i n u s e r s p a c e : c o p y f r o m u s e rp r i n t k (KERN ALERT "ioctl CMD%d" , cmd) ;s w i t c h ( cmd ) // one o f t h e known i o c t l{ c a s e 0 : dummy=c o p y f r o m u s e r ( var , ( c h a r ∗) arg , 5 ) ;
p r i n t k (KERN ALERT "ioctl0: %s\n" , ( c h a r ∗) v a r ) ;b r e a k ;
c a s e 1 : p r i n t k (KERN ALERT "ioctl1: %s\n" , ( c h a r ∗) v a r ) ;dummy=c o p y t o u s e r ( ( c h a r ∗) arg , var , 5 ) ;b r e a k ;
d e f a u l t : p r i n t k (KERN ALERT "unknown ioctl" ) ; b r e a k ;}r e t u r n 0 ;} 13 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
IOCTL: userspace#i n c l u d e <s y s / i o c t l . h> /∗ i o c t l ∗/#d e f i n e IOCTL SET MSG 0#d e f i n e IOCTL GET MSG 1
main ( i n t argc , c h a r ∗∗ a r g v ){ i n t f i l e d e s c , r e t v a l ;
c h a r msg [ 3 0 ] = "Message passed by ioctl\n" ;
f i l e d e s c = open ( "/dev/jmf" , 0) ;msg [ 4 ] = 0 ;r e t v a l = i o c t l ( f i l e d e s c , IOCTL SET MSG , msg ) ;r e t v a l = i o c t l ( f i l e d e s c , IOCTL GET MSG , msg ) ;
}donne (dmesg)
[ 943.551282] Hello ioctl
[ 946.385700] ioctl open
[ 946.385757] ioctl CMD0
[ 946.385758] ioctl0: Mess
[ 946.385762] ioctl CMD1
[ 946.385763] ioctl1: Mess
[ 946.385766] bye
14 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Kernel timer: direct GPIO access#d e f i n e mio 0
i n t h e l l o s t a r t ( ){ i n t d e l a y = 1 ;
u n s i g n e d i n t s ;
i f ( r e q u e s t m e m r e g i o n ( IO BASE1 , 0 x12c , "GPIO cfg" )==NULL)p r i n t k (KERN ALERT "mem request failed" ) ;
j m f g p i o = ( v o i d iomem ∗) ioremap ( IO BASE1 , 0 x4 ) ;s=r e a d l ( j m f g p i o +0x12c ) ; // PAS a s s i g n a t i o n ( c r a s h ) : masks |=(1<<22) ; // . . . GPIO c l o c kw r i t e l ( s , j m f g p i o +0x12c ) ;r e l e a s e m e m r e g i o n ( IO BASE1 , 0 x12c ) ;
i f ( r e q u e s t m e m r e g i o n ( IO BASE2 , 0 x2E4 , "GPIO test" )==NULL)p r i n t k (KERN ALERT "mem request failed" ) ;
j m f g p i o = ( v o i d iomem ∗) ioremap ( IO BASE2 , 0x2E4 ) ;w r i t e l (1<<mio , j m f g p i o +0x204 ) ; // d i r e c t i o nw r i t e l (1<<mio , j m f g p i o +0x208 ) ; // e n a b l ew r i t e l (1<<mio , j m f g p i o +0x40 ) ; // v a l u e
User Guide : Appendix B (Register Details) p.785 → gpio @ 0xE000A000→ DATA 0 en 0x040, DIRM 0 en 0x204 et OEN 0 en 0x208.
15 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Kernel timer: configuration andcallback function
Timer configuration and releasing resources when leaving the modulet i m e r s e t u p (& e x p t i m e r , do someth ing , 0 ) ; // s i n c e 4 . 1 4e x p t i m e r . e x p i r e s = j i f f i e s + d e l a y ∗ HZ ;
// HZ s p e c i f i e s number o f c l o c k t i c k s g e n e r a t e d p e r seconda d d t i m e r (& e x p t i m e r ) ;
}
v o i d h e l l o e n d ( ) // c l e a n u p m o d u l e ( v o i d ){ r e l e a s e m e m r e g i o n ( IO BASE2 , 0 x2e4 ) ;
d e l t i m e r (& e x p t i m e r ) ;}
Callback function:s t a t i c v o i d d o s o m e t h i n g ( u n s i g n e d l o n g data ){ [ . . . ]mod t imer (& e x p t i m e r , j i f f i e s + HZ) ; // r e l a u n c h t i m e r
}Accessing kernel functions requires compliance with the GPL License 4:MODULE LICENSE( "GPL" ) ;
4J. Corbet, Unexporting kallsyms lookup name(), 28/02/2020 @https://lwn.net/Articles/813350/
16 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Kernel timer: gpiolib
• Rather than accessing the low level registers, use existing kernelfunctions
• GPIO access: gpiolib
• kernel configuration (make linux-menuconfig)CONFIG_GPIO_XILINX:
Say yes here to support the Xilinx FPGA GPIO device
Symbol: GPIO_XILINX [=m]
Type : tristate
Prompt: Xilinx GPIO support
Location:
-> Device Drivers
-> GPIO Support (GPIOLIB [=y])
-> Memory mapped GPIO drivers
• we have selected not to compile static libraries but to use modulesin order to keep the ability to deactivate the libraries by removingthe module from the kernel (rmmod)
• as was seen in userspace, MIOx is refered to by the index 906+x
17 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Kernel timer – gpiolibi n t h e l l o s t a r t ( v o i d ) ;v o i d h e l l o e n d ( v o i d ) ;
i n t h e l l o s t a r t ( ){ i n t j m f g p i o =906+0; // 0 = orange , 7 = r e d ( h e a r t b e a t )
e r r=g p i o i s v a l i d ( j m f g p i o ) ;e r r=g p i o r e q u e s t o n e ( j m f g p i o , GPIOF OUT INIT LOW , "→
↪→jmf_gpio" ) ;// s e e l i n u x −XXX/ l i n u x / g p i o . h f o r a v a i l a b l e f u n c t i o n s
t i m e r s e t u p (& e x p t i m e r , do someth ing , 0 ) ; // s i n c e 4 . 1 4e x p t i m e r . e x p i r e s = j i f f i e s + d e l a y ∗ HZ ;
// HZ s p e c i f i e s number o f c l o c k t i c k s g e n e r a t e d p e r seconda d d t i m e r (& e x p t i m e r ) ;r e t u r n 0 ;
}
v o i d h e l l o e n d ( ) // c l e a n u p m o d u l e ( v o i d ){ g p i o f r e e ( j m f g p i o ) ; d e l t i m e r (& e x p t i m e r ) ;}output pin handling: gpio set value(jmf gpio,jmf stat);
Using gpiolib: the licence (GPL) of the module matters !
18 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Summary
• Two input and output functions:module init (beginning function); andmodule exit (final function);
• initialize the link between the module and userspaceregister chrdev (90 , "jmf" ,&fops );
• print message in /var/log/syslog byprintk (KERN ALERT "formated message"); (no coma !)
• ability to dynamically the dev entry pointinsmod module creates /dev/jmf bys t r u c t m i s c d e v i c e jmfdev ;
{ jmfdev . name = "jmf" ; // / dev / jmf : major=misc c l a s sjmfdev . minor = MISC DYNAMIC MINOR ;jmfdev . f o p s = &f o p s ;m i s c r e g i s t e r (& jmfdev ) ; // dyanmic c r e a t i o n / dev / jmf
}which concludes with (rmmod module):m i s c d e r e g i s t e r (& jmfdev ) ;
19 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Lab session1 compile a simple module (init, exit) on the PC – Makefile
linking to the kernel source,obj-m +=mon_module.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
since$ ls -l /lib/modules/4.12.0-1-amd64/
build -> /usr/src/linux-headers-4.12.0-1-amd64
2 compile the same module for the Redpitaya by linking with thekernel sources found in buildroot – transferand execute on the Zynq
3 add communication functionsopen, close –create the /dev entry point with mknod andtest from shell and a C program
4 add IOCTL function and call from a Cprogram using ioctl()
Use conditional compilationx86 v.s ARM : #ifdef __ARMEL__5
5J.-M Friedt, Modification des appels systemes du noyau Linux : manipulation dela memoire du noyau, GNU/Linux Magazine Hors Serie 87 (Nov.-Dec 2016)
20 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Detournement des appels systeme
$ strace mkdir toto
[...]
mkdir("toto", 0777) = 0
• Un appel systeme 6 est une methode fournie par le noyau pouracceder aux ressources gerees par le systeme (norme POSIX : open,close, read, write, mkdir ...)• un programme utilisateur fait appel a un appel systeme ...• ... qui correspond a une fonction en espace noyau.• Une table des appels systeme fait la correspondance entre les deux.
⇒ manipuler les appels systemes consiste en
1 identifier l’emplacement en memoire de cette table decorrespondance
2 modifier l’adresse de la fonction appelee vers notre fonction ou ...
3 ... modifier le contenu de la memoire contenant l’adresse dedestination.
6liste des appels systemes POSIX dans/usr/include/x86 64-linux-gnu/asm/unistd 64.h
21 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Detournement des appels systeme
Attaque evidente contre lesquelles les protections sont
• interdiction d’ecrire dans les pages memoire contenant la table desappels systeme/boot/System.map-4.6.0-1-amd64: ffffffff816001e0 R sys_call_table
/proc/kallsyms : ffffffff816001e0 R sys_call_table
• ne pas exporter les symboles des appels systemes (portee desfonctions : static dans le fichier, EXPORT SYMBOL)
Question : quelles sont les fonctions exportees par le noyau vers lesmodules ?
linux-4.4.2$ grep -r EXPORT_SYMBOL * | grep \(sys_
[...]
fs/open.c:EXPORT_SYMBOL(sys_close);
kernel/time/time.c:EXPORT_SYMBOL(sys_tz);
Seul sys close() est exporte
22 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Detournement des appels systeme#i n c l u d e < l i n u x / module . h>#i n c l u d e < l i n u x / s y s c a l l s . h>
s t a t i c u n s i g n e d l o n g ∗ c h e r c h e t a b l e ( v o i d ){ u n s i g n e d l o n g i n t o f f s e t = PAGE OFFSET ; // debut k e r n e l
u n s i g n e d l o n g ∗ s c t ;p r i n t k (KERN INFO "PAGE_OFFSET =%lx\n" ,PAGE OFFSET) ;w h i l e ( o f f s e t < ULLONG MAX) // r e c h e r c h e t o u t e l a mem{ s c t = ( u n s i g n e d l o n g ∗) o f f s e t ;
i f (∗ s c t == ( u n s i g n e d l o n g )&s y s c l o s e ) // @ s y s c l o s er e t u r n s c t ; // on a t r o u v e ’ l ’@ de debut
o f f s e t += s i z e o f ( v o i d ∗) ;}
r e t u r n NULL ;}[ . . . ]
[100266.370251] PAGE_OFFSET=ffff880000000000
[100266.433568] table: ffff8800016001f8
[100266.433570] NR close: 3
[100266.433571] NR mkdir: 83 => ffffffff812020d0
coherent (16001f8-24=16001e0 car sys close est appel 3) avec
/boot/System.map-4.6.0-1-amd64: ffffffff816001e0 R sys_call_table
/proc/kallsyms : ffffffff816001e0 R sys_call_table23 / 24
Embeddedsystems 2/7
J.-M Friedt
Introduction
Virtual memoryaccess
Kernel modulebasics
Using the kernel:timers
Conclusion & labsession
Detournement des appels systemePointeur de fonction#i n c l u d e < l i n u x / module . h>#i n c l u d e < l i n u x / s y s c a l l s . h>
a s m l i n k a g e // p a s s a g e params par p i l el o n g (∗ r e f s y s m k d i r ) ( c o n s t c h a r u s e r ∗ , i n t ) ;
a s m l i n k a g el o n g mon mkdir ( c o n s t c h a r u s e r ∗pnam , i n t mode ){ p r i n t k (KERN INFO "intercept: %s:%x\n" , pnam , mode ) ;
r e t u r n 0 ;}
s t a t i c i n t i n i t m o d u l e s t a r t ( v o i d ){ a d d r t a b l e = c h e r c h e t a b l e ( ) ;
r e f s y s m k d i r =( v o i d ∗) a d d r t a b l e [ NR mkdir− N R c l o s e ] ;a d d r t a b l e [ NR mkdir− N R c l o s e ]=( u n s i g n e d l o n g )→
↪→mon mkdir ;r e t u r n ( 0 ) ;
}$ mkdir toto
[103669.045129] intercept: toto:1ff
Ne fonctionne plus de puis le noyau 4.17.0 qui n’exporte plus sys close, cfhttps://github.com/f0rb1dd3n/Reptile 24 / 24