<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">2016-09-05 18:57 GMT+02:00 <span dir="ltr"><<a target="_blank" href="mailto:Valdis.Kletnieks@vt.edu">Valdis.Kletnieks@vt.edu</a>></span>:<br><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><span class="gmail-">On Mon, 05 Sep 2016 12:59:46 +0200, Oscar Salvador said:<br>
<br>
> I'm writing a module to read/write kernel memory, and for this I'd like to<br>
> check if a page is marked as read-only<br>
<br>
</span>Actually, you almost certainly want to do a *much* stricter check than<br>
that. If your module is doing unrestricted writes, there's almost certainly<br>
a major design failure. Modules should *only* access memory that belongs<br>
to them - for instance, a driver for some new widget shouldn't be doing<br>
anything with memory that isn't either I/O buffer space allocated for<br>
that device, or the various struct * that the driver core sets up for a device.<br>
<br>
If you're trying to scribble *anywhere*, you're either trying to write a<br>
rootkit, or you're mis-designing something that will almost certainly be<br>
abused by somebody to backdoor in a rootkit.<br>
<br>
And I don't have much sympathy for "it's just a toy module" - if you can't<br>
be bothered to write modules with proper design, you shouldn't be coding<br>
in kernelspace. Learn to do it right from the beginning and don't learn<br>
sloppy habits.<br></blockquote><div><br></div><div>I guess I explained it wrong. I'm not writing neither a rootkit nor a module which is messing with kernel memory. I'm writing a module to be able to r/w kernel/ user linear memory. It's for a forensic tool.<br></div><div>Actually it's nothing that you couldn't do with <br><br># gdb /bin/ls /proc/kcore<br></div><div># x/4w [kernel_address]<br><br></div><div>I wanted to check which kind of perms does it have a kernel page because I didn't want to be bothered by the "unable to handle kernel page request" if a user tries to write to a page which is read-only, so I wanted to check if that was the case, and just return an error in such case.<br><br></div><div>Or also if a page is not resident in memory, either because is swapped or because was never mapped (checking the _PAGE_PRESENT bit).<br><br></div><div>So far I'm using "lookup_address" to get the pte related to a kernel address in order to perform those checks, and that's working.<br><br></div><div>The only doubt I have is:<br><br></div><div>Can kernel pages be swapped? and if that's the case, there is a way to get check if a page is missing because was never mapped or because was swapped?<br></div><div><br></div><div>Thanks<br></div><div> </div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">
<br>
So what actual problem are you trying to solve by scribbling all over kernel<br>
space? There's probably a better way to do it.<br>
</blockquote></div><br><br></div></div>