Chinaunix首页 | 论坛 | 博客
  • 博客访问: 355000
  • 博文数量: 90
  • 博客积分: 2017
  • 博客等级: 大尉
  • 技术积分: 615
  • 用 户 组: 普通用户
  • 注册时间: 2009-10-19 08:10
文章分类

全部博文(90)

文章存档

2012年(4)

2011年(74)

2010年(11)

2009年(1)

分类: LINUX

2011-05-30 19:57:49

/dev/mem类型的rootkit很可能会再次发挥作用,它默认是没开启的。。。

kernel hacking -> Filter access to /dev/mem

不过rhel系列的内核已经开启了这个选项,所以还是很安全的。 大于1m的物理内存是不能被映射的, 因此想读内核空间是不可能的。

重新升级内核到2.6.30, 没开启filter选项, 又可以读写内核空间了。。。

看下代码/drivers/char/mem.c:

/*
* This funcion reads the *physical* memory. The f_pos points directly to the
* memory location.
*/
static ssize_t read_mem(struct file * file, char __user * buf,
                        size_t count, loff_t *ppos)
{
...
        while (count > 0) {
                /*
                 * Handle first page in case it's not aligned
                 */
                if (-p & (PAGE_SIZE - 1))
                        sz = -p & (PAGE_SIZE - 1);
                else
                        sz = PAGE_SIZE;

                sz = min_t(unsigned long, sz, count);

                if (!range_is_allowed(p >> PAGE_SHIFT, count))
                        return -EPERM;
....

}

>> range_is_allowed

#ifdef CONFIG_STRICT_DEVMEM
static inline int range_is_allowed(unsigned long pfn, unsigned long size)
{
        u64 from = ((u64)pfn) << PAGE_SHIFT;
        u64 to = from + size;
        u64 cursor = from;

        while (cursor < to) {
                if (!devmem_is_allowed(pfn)) {
                        printk(KERN_INFO
                "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
                                current->comm, from, to);
                        return 0;
                }
                cursor += PAGE_SIZE;
                pfn++;
        }
        return 1;
}
#else
static inline int range_is_allowed(unsigned long pfn, unsigned long size)
{
        return 1;
}
#endif

>> devmem_is_allowed
/*
* devmem_is_allowed() checks to see if /dev/mem access to a certain address is
* valid. The argument is a physical page number.
*
*
* On x86-64, access has to be given to the first megabyte of ram because that area
* contains bios code and data regions used by X and dosemu and similar apps.
* Access has to be given to non-kernel-ram areas as well, these contain the PCI
* mmio resources as well as potential bios/acpi data regions.
*/
int devmem_is_allowed(unsigned long pagenr)
{
if (pagenr <= 256)
return 1;
if (!page_is_ram(pagenr))
return 1;
return 0;
}
阅读(2958) | 评论(0) | 转发(1) |
给主人留下些什么吧!~~