What happen if kernel call printf(), which using system call? Attachment is an example code.
2009/8/29 Bryan Donlan <[email protected]>: > 2009/8/27 fisherman <[email protected]>: > >> BUT give_it_to_me_any_way_you_can() call memset(), memset() is a >> function in glic. >> >> In Kernel mode, can Call function in glib? How to resolve the symbol? > > The process's address space is mapped and accessible from kernel mode > (with the same addresses!). Normally the kernel does not execute user > code in ring0; however the exploit gets code in the user address space > to run. So the user-space version of memset() is called, from ring0. > -- Best Regards :-) ------------------------------------------- Wang Yao(王耀),[email protected] [email protected] HomePage: http://cudev.cublog.cn Research Center of Computer Network and Information Security Technology Harbin Institute Of Technology Address:NO.92 West Da-Zhi Street,NanGang District,Harbin,Heilongjiang
#include <linux/module.h>
#include <linux/types.h>
#include <linux/fs.h>
#include <linux/cdev.h>
#define DEVICE_NAME "dummy"
#define __DEBUG_MSG(a,x...) do{printk(KERN_ALERT"%s %s %d:"a,__FILE__,__FUNCTION__,__LINE__,##x);}while(0)
static int dummy_open(struct inode *inode, struct file *filp);
static int dummy_ioctl(struct inode *inode, struct file *filp, unsigned int cmd , unsigned long arg);
typedef void (*painter)(void);
static int major = 0;
static struct file_operations fops =
{
.open = dummy_open,
.ioctl = dummy_ioctl
};
static int dummy_open(struct inode *inode, struct file *filp)
{
__DEBUG_MSG("enter dummy_open\n");
return 0;
}
static int dummy_ioctl(struct inode *inode, struct file *filp, unsigned int cmd , unsigned long arg)
{
painter my_painter = (painter)arg;
/* we don't care about the cmd, just exec arg() */
my_painter();
return 0;
}
int init_module(void)
{
major = register_chrdev(0, DEVICE_NAME, &fops);
if ( major < 0 )
{
printk(KERN_ALERT "register chrdev failed:%d\n", major);
return major;
}
printk(KERN_ALERT "mknod /dev/%s c %d 0\n", DEVICE_NAME, major);
return 0;
}
void cleanup_module(void)
{
/*unregister the device*/
unregister_chrdev(major, DEVICE_NAME);
}
Makefile
Description: Binary data
/*
*user.c 用户空间部分
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>/*getpagesize*/
#include <errno.h>
#define CHAR_DEV_PATH "/dev/dummy"
char buf[8] = { 0 };
void painter()
{
memcpy(buf, "painter", sizeof(buf));
printf("I am OK.\n");
}
int main(int argc, char **argv)
{
int fd = open(CHAR_DEV_PATH, O_RDONLY);
ioctl(fd, 1, painter);
printf("buf:%s\n", buf);
return 0;
}
