From mboxrd@z Thu Jan 1 00:00:00 1970 From: osalvador.vilardaga@gmail.com (Oscar Salvador) Date: Tue, 6 Sep 2016 13:23:48 +0200 Subject: check if a kernel page is read-only In-Reply-To: <11599.1473094678@turing-police.cc.vt.edu> References: <11599.1473094678@turing-police.cc.vt.edu> Message-ID: To: kernelnewbies@lists.kernelnewbies.org List-Id: kernelnewbies.lists.kernelnewbies.org 2016-09-05 18:57 GMT+02:00 : > On Mon, 05 Sep 2016 12:59:46 +0200, Oscar Salvador said: > > > I'm writing a module to read/write kernel memory, and for this I'd like > to > > check if a page is marked as read-only > > Actually, you almost certainly want to do a *much* stricter check than > that. If your module is doing unrestricted writes, there's almost > certainly > a major design failure. Modules should *only* access memory that belongs > to them - for instance, a driver for some new widget shouldn't be doing > anything with memory that isn't either I/O buffer space allocated for > that device, or the various struct * that the driver core sets up for a > device. > > If you're trying to scribble *anywhere*, you're either trying to write a > rootkit, or you're mis-designing something that will almost certainly be > abused by somebody to backdoor in a rootkit. > > And I don't have much sympathy for "it's just a toy module" - if you can't > be bothered to write modules with proper design, you shouldn't be coding > in kernelspace. Learn to do it right from the beginning and don't learn > sloppy habits. > I guess I explained it wrong. I'm not writing neither a rootkit nor a module which is messing with kernel memory. I'm writing a module to be able to r/w kernel/ user linear memory. It's for a forensic tool. Actually it's nothing that you couldn't do with # gdb /bin/ls /proc/kcore # x/4w [kernel_address] I wanted to check which kind of perms does it have a kernel page because I didn't want to be bothered by the "unable to handle kernel page request" if a user tries to write to a page which is read-only, so I wanted to check if that was the case, and just return an error in such case. Or also if a page is not resident in memory, either because is swapped or because was never mapped (checking the _PAGE_PRESENT bit). So far I'm using "lookup_address" to get the pte related to a kernel address in order to perform those checks, and that's working. The only doubt I have is: Can kernel pages be swapped? and if that's the case, there is a way to get check if a page is missing because was never mapped or because was swapped? Thanks > > So what actual problem are you trying to solve by scribbling all over > kernel > space? There's probably a better way to do it. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20160906/0aeee0dd/attachment.html