mirror of
https://github.com/cirosantilli/linux-kernel-module-cheat.git
synced 2026-01-23 02:05:57 +01:00
ring0: move docs to readme
This commit is contained in:
Ciro Santilli
51
README.adoc
51
README.adoc
@@ -2171,6 +2171,57 @@ We also have one letter shorthand names for the architectures:
|
|||||||
|
|
||||||
Known quirks of the supported architectures are documented in this section.
|
Known quirks of the supported architectures are documented in this section.
|
||||||
|
|
||||||
|
=== x86_64
|
||||||
|
|
||||||
|
==== ring0
|
||||||
|
|
||||||
|
This example illustrates how reading from the x86 control registers with `mov crX, rax` can only be done from kernel land on ring0.
|
||||||
|
|
||||||
|
From kernel land:
|
||||||
|
|
||||||
|
....
|
||||||
|
insmod ring0.ko
|
||||||
|
....
|
||||||
|
|
||||||
|
works and output the registers, for example:
|
||||||
|
|
||||||
|
....
|
||||||
|
cr0 = 0xFFFF880080050033
|
||||||
|
cr2 = 0xFFFFFFFF006A0008
|
||||||
|
cr3 = 0xFFFFF0DCDC000
|
||||||
|
....
|
||||||
|
|
||||||
|
However if we try to do it from userland:
|
||||||
|
|
||||||
|
....
|
||||||
|
/ring0.out
|
||||||
|
....
|
||||||
|
|
||||||
|
stdout gives:
|
||||||
|
|
||||||
|
....
|
||||||
|
Segmentation fault
|
||||||
|
....
|
||||||
|
|
||||||
|
and dmesg outputs:
|
||||||
|
|
||||||
|
....
|
||||||
|
traps: ring0.out[55] general protection ip:40054c sp:7fffffffec20 error:0 in ring0.out[400000+1000]
|
||||||
|
....
|
||||||
|
|
||||||
|
Sources:
|
||||||
|
|
||||||
|
* link:kernel_module/ring0.c[]
|
||||||
|
* link:kernel_module/ring0.h[]
|
||||||
|
* link:kernel_module/user/ring0.c[]
|
||||||
|
|
||||||
|
In both cases, we attempt to run the exact same code which is shared on the `ring0.h` header file.
|
||||||
|
|
||||||
|
Bibliography:
|
||||||
|
|
||||||
|
* https://stackoverflow.com/questions/7415515/how-to-access-the-control-registers-cr0-cr2-cr3-from-a-program-getting-segmenta/7419306#7419306
|
||||||
|
* https://stackoverflow.com/questions/18717016/what-are-ring-0-and-ring-3-in-the-context-of-operating-systems/44483439#44483439
|
||||||
|
|
||||||
=== mips64
|
=== mips64
|
||||||
|
|
||||||
Keep in mind that MIPS has the worst support compared to our other architectures due to the smaller community. Patches welcome as usual.
|
Keep in mind that MIPS has the worst support compared to our other architectures due to the smaller community. Patches welcome as usual.
|
||||||
|
|||||||
@@ -16,6 +16,3 @@ Our kernel modules!
|
|||||||
.. link:strlen_overflow.c[]
|
.. link:strlen_overflow.c[]
|
||||||
. Tracing
|
. Tracing
|
||||||
.. link:kprobe_example.c[]
|
.. link:kprobe_example.c[]
|
||||||
. Arch
|
|
||||||
.. x86
|
|
||||||
... link:ring0.c[]
|
|
||||||
|
|||||||
@@ -1,13 +1,4 @@
|
|||||||
/*
|
/* https://github.com/cirosantilli/linux-kernel-module-cheat#ring0 */
|
||||||
This illustrates operations which are only possible in ring 0.
|
|
||||||
https://stackoverflow.com/questions/7415515/how-to-access-the-control-registers-cr0-cr2-cr3-from-a-program-getting-segmenta/7419306#7419306
|
|
||||||
|
|
||||||
It only works for x86_64.
|
|
||||||
|
|
||||||
Then try to run this on userland and see the process be killed:
|
|
||||||
|
|
||||||
/ring0.out
|
|
||||||
*/
|
|
||||||
|
|
||||||
#include <linux/module.h>
|
#include <linux/module.h>
|
||||||
#include <linux/kernel.h>
|
#include <linux/kernel.h>
|
||||||
|
|||||||
@@ -1,8 +1,4 @@
|
|||||||
/*
|
/* https://github.com/cirosantilli/linux-kernel-module-cheat#ring0 */
|
||||||
See ../ring0.c
|
|
||||||
|
|
||||||
This executable is expected to segfault.
|
|
||||||
*/
|
|
||||||
|
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
|
|||||||
Reference in New Issue
Block a user