Some useful debugging options:<br><br>CONFIG_DEBUG_STACK_USAGE<br>CONFIG_DEBUG_STACKOVERFLOW<br><br>> if you take enough large array so as to hit the heap<br>> area at that present moment (they both grow towards each other)<br>
<br>I doubt if it is true for kernel mode stack. Kernel stack allocation is plain pages allocation using zone buddy allocator (alloc_pages_node), so what is beyond that page, allocated to something else or not is really not predictable. However one thing which is predictable (and other people have pointed out as well) is overrunning thread_info struct of the current task. Also this overrun may not show up with this simple module, because there is no need to access thread_info here. My suggestions:<br>
<ol><li>Try putting a schedule call after overrunning thread_info structure, thread_info might be accessed while scheduling back current process.<br></li><li>Try to access current macro after overrun, it will try do access corrupt thread_info structure to get task_struct pointer.</li>
</ol><p>But make sure to corrupt the thread_info structure in predictive manner as pointed out in previous mails :).<br></p>-Rajat<br><br>On Sun, Sep 16, 2012 at 10:35 AM, Shreyansh Jain <<a href="mailto:shrey.linux@gmail.com">shrey.linux@gmail.com</a>> wrote:<br>
> Hi ²·ß®Ìì and list,<br>><br>> Please find my comments inline<br>><br>> On Thu, Sep 13, 2012 at 7:38 PM, ²·ß®Ìì <<a href="mailto:buyit@live.cn">buyit@live.cn</a>> wrote:<br>>> i don't know why you want to corrupt kernel stack by using this method,<br>
>> stack usually grow from high address to low address,<br>>> if you allocate a buff in a function then use memset(), it is writing data<br>>> from low address to high address.<br>>> in your implementation, you allocate an array with 8000*4=32000 bytes ( int<br>
>> arr[8000]; ), then you try to corrupt stack by using memset(), which operate<br>>> memory by bytes, rather than by int. so this memset() only corrupt the first<br>>> 8192 bytes of the buffer, which is far away from your current task stack.<br>
>><br>>> thread_info locates at the bottom of current task's stack, please<br>>> reference the source code of current_thread_info() function of your<br>>> platform. i think it is true for X86 or ARM.<br>
>><br>>> if you really want to corrupt current kernel task's stack, please try<br>>> below code, i did't test it but i think it should work, at least you can<br>>> find something from the log:<br>
>><br>>> char *sp_addr;<br>>> struct thread_info *thread = current_thread_info();<br>>> sp_addr = (char*)thread;<br>>><br>>> printk("sp_addr==thread:%p, task:%p\n", thread, thread->task);<br>
>><br>>> memset (sp_addr, 0x0, 1024);<br>>><br>>> printk("after corrupt, task:%p, it is dying...\n", thread->task);<br>><br>> Actually, after reading through the first authors email, it seems he<br>
> is trying to find the answer to "How much is maximum allocatable space<br>> on the Kernel Stack" (Shubham, please correct me if I am wrong).<br>><br>> In that essence what you have mentioned above is more of a direct<br>
> method of corrupting the thread_info structure - a definitive stack<br>> corruption.<br>><br>>><br>>><br>>>> Date: Thu, 13 Sep 2012 15:32:05 +0530<br>>>> Subject: Re: kernel stack memory<br>
>>> From: <a href="mailto:mujeeb.adil@gmail.com">mujeeb.adil@gmail.com</a><br>>>> To: <a href="mailto:getarunks@gmail.com">getarunks@gmail.com</a><br>>>> CC: <a href="mailto:shubham20006@gmail.com">shubham20006@gmail.com</a>; <a href="mailto:kernelnewbies@kernelnewbies.org">kernelnewbies@kernelnewbies.org</a><br>
>><br>>>><br>>>> Hi,<br>>>><br>>>> On Thu, Sep 13, 2012 at 1:59 PM, Arun KS <<a href="mailto:getarunks@gmail.com">getarunks@gmail.com</a>> wrote:<br>>>> > Hello Shubham,<br>
>>> ><br>>>> > On Thu, Sep 13, 2012 at 12:15 PM, shubham sharma<br>>>> > <<a href="mailto:shubham20006@gmail.com">shubham20006@gmail.com</a>><br>>>> > wrote:<br>>>> >><br>
>>> >> Hi,<br>>>> >><br>>>> >> As far as i know, the size of stack allocated in the kernel space is<br>>>> >> 8Kb for each process. But in case i use more than 8Kb of memory from<br>
>>> >> the stack then what will happen? I think that in that case the system<br>>>> >> would crash because i am accessing an illegal memory area. I wrote<br>>>> >> kernel module in which i defined an integer array whose size was 8000.<br>
>>> >> But still it did not crash my system. Why?<br>>>> >><br>>>> >> The module i wrote was as follows:<br>>>> >><br>>>> >> #include <linux/kernel.h><br>
>>> >> #include <linux/module.h><br>>>> >><br>>>> >> int __init init_my_module(void)<br>>>> >> {<br>>>> >> int arr[8000];<br>>>> >> printk("%s:%d\tmodule initilized\n", __func__, __LINE__);<br>
>>> >> arr[1] = 1;<br>>>> >> arr[4000] = 1;<br>>>> >> arr[7999] = 1;<br>>>> ><br>>>> > Instead do a memset.<br>>>> > memset(arr, 0, 8192);<br>
>>> ><br>>>> > If you do this the current calling process thread_info will be set to<br>>>> > zero.<br>>>> > This should cause a crash.<br>>>><br>>>> I tried and this is also not causing any crash.<br>
>>><br>>>> Thanks,<br>>>> Adil<br>>>> ><br>>>> > Thanks,<br>>>> > Arun<br>>>> ><br>>>> ><br>>>> >><br>>>> >> printk("%s:%d\tarr[1]:%d, arr[4000]:%d, arr[7999]:%d\n", __func__,<br>
>>> >> __LINE__, arr[1], arr[4000], arr[7999]);<br>>>> >> return 0;<br>>>> >> }<br>>>> >><br>>>> >> void __exit cleanup_my_module(void)<br>>>> >> {<br>
>>> >> printk("exiting\n");<br>>>> >> return;<br>>>> >> }<br>>>> >><br>>>> >> module_init(init_my_module);<br>>>> >> module_exit(cleanup_my_module);<br>
>>> >><br>>>> >> MODULE_LICENSE("GPL");<br>>>> >><br>><br>> Though I don't have an exact answer, but what I understand is that<br>> there is no limit imposed by the kernel while writing in the kernel<br>
> layer (as Kshemendra's first post pointed out). Thus, you keep writing<br>> what you wish till either you corrupt the next instruction set or some<br>> data structure which would be read somewhere in future (at that time<br>
> what can happen is undefined). Assuming this understanding is some<br>> what correct, if you take enough large array so as to hit the heap<br>> area at that present moment (they both grow towards each other), you<br>
> can have a undefined behavior (which may not be instantly visible).<br>><br>> This is all I can add. PCMIIW<br>><br>> Thanks.<br>> Shreyansh<br>><br>> _______________________________________________<br>
> Kernelnewbies mailing list<br>> <a href="mailto:Kernelnewbies@kernelnewbies.org">Kernelnewbies@kernelnewbies.org</a><br>> <a href="http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies">http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies</a><br>
<br>