check if a kernel page is read-only

Oscar Salvador osalvador.vilardaga at gmail.com
Tue Sep 6 07:23:48 EDT 2016


2016-09-05 18:57 GMT+02:00 <Valdis.Kletnieks at vt.edu>:

> On Mon, 05 Sep 2016 12:59:46 +0200, Oscar Salvador said:
>
> > I'm writing a module to read/write kernel memory, and for this I'd like
> to
> > check if a page is marked as read-only
>
> Actually, you almost certainly want to do a *much* stricter check than
> that.  If your module is doing unrestricted writes, there's almost
> certainly
> a major design failure.  Modules should *only* access memory that belongs
> to them - for instance, a driver for some new widget shouldn't be doing
> anything with memory that isn't either I/O buffer space allocated for
> that device, or the various struct * that the driver core sets up for a
> device.
>
> If you're trying to scribble *anywhere*, you're either trying to write a
> rootkit, or you're mis-designing something that will almost certainly be
> abused by somebody to backdoor in a rootkit.
>
> And I don't have much sympathy for "it's just a toy module" - if you can't
> be bothered to write modules with proper design, you shouldn't be coding
> in kernelspace.  Learn to do it right from the beginning and don't learn
> sloppy habits.
>

I guess I explained it wrong. I'm not writing neither a rootkit nor a
module which is messing with kernel memory. I'm writing a module to be able
to r/w kernel/ user linear memory. It's for a forensic tool.
Actually it's nothing that you couldn't do with

# gdb /bin/ls /proc/kcore
# x/4w [kernel_address]

I wanted to check which kind of perms does it have a kernel page because I
didn't want to be bothered by the "unable to handle kernel page request" if
a user tries to write to a page which is read-only, so I wanted to check if
that was the case, and just return an error in such case.

Or also if a page is not resident in memory, either because is swapped or
because was never mapped (checking the _PAGE_PRESENT bit).

So far I'm using "lookup_address" to get the pte related to a kernel
address in order to perform those checks, and that's working.

The only doubt I have is:

Can kernel pages be swapped? and if that's the case, there is a way to get
check if a page is missing because was never mapped or because was swapped?

Thanks


>
> So what actual problem are you trying to solve by scribbling all over
> kernel
> space?  There's probably a better way to do it.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20160906/0aeee0dd/attachment.html 


More information about the Kernelnewbies mailing list