Adam Morrison wrote:
Gcc sign-extends the "memory" pointer into a possibly-wrong value when
casting to "off_t", which is signed. The subsequent read() therefore
tries accessing an unmapped area in the victim process and fails.
Thank you! That was, indeed, the problem. Changing all casts to off_t to
be (off_t)((unsigned long)memory) solved the read problem.
It also seems that /proc/<pid>/mem only supports read(). You need to
change an #ifdef in fs/proc/base.c to support write(),
Yes, they disabled it with not much explanation. See
http://lkml.org/lkml/2006/3/10/224
and mmap() isn't supported at all.
More's the pity. I think accessing large chunks through mmap would have
been so much preferable to transferring data, four bytes at a time,
through the ptrace mechanism. I already have the later written and
debugged, but I would still love to see the former. Then again, if you
look at my previous question to the list, we may have a clue as to what
the security problem may be.
Re Choo's comment about memory available through "malloc" working for
him - malloc uses "brk(2)" to allocate memory as long as it possibly
can. brk uses memory from the lower 1GB of the address space, which
means that the pointer has the "sign" bit clear. Ergo - no sign
extension. Mmap, on the other hand, uses memory from the very end of the
address space, which typically means around the 3GB area. This memory
does have the "sign" bit set, and thus gets sign extended.
In support of the compiler, I will mention that it did issue a warning
saying "procmem.c:91: warning: cast from pointer to integer of different
size". This warning, however, is very far from being understandable. I
know that "char *" is 32 bit and that "off_t" is 64 bit. I don't know
why that should pose a problem. If it said "cast from pointer to signed
integer of different size", that would have been, by far, a more helpful
warning.
Thanks everyone
Shachar
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
