kernel_castle

1. (aka eminus,metaizm və s. :D)
2.  
3.  
4. birinci sizə şeir deyəcəm gözləyin ...///
5.  
6. `Sən yarımın qasidisən Əyləş sənə çay demişəm,
7. Xəyalini göndəribdir bəs ki, mən ax-vay demişəm,
8. Ax gecələr yatmamışam mən sənə lay-lay demişəm,
9. Sən yatalı mən gözumə ulduzları say demişəm.`
10.  
11.  
12. #yazdigimiz_yeni_kernel_implementasiya_edeceyimiz_procedur
13.  
14. linux redhat kernel hand by debugging ? :)--
15. -
16. Linux 3.19.000000 #1 date ? $_$ -15:00:00 EST 20** i686 i386 GNU/Linux
17.  
18. 32-bit official kernel source baxaq )
19. snippet source - ) kernel based stackprotector.h
20. %gs segment register üzərində 20 byte offset-ə sahibdir və %gs stack canary shared edir.
21. %gs userland TLS istifadə edir (THREAD LOCAL STORAGE). Stack canary üçün 24 byte read only segment initialize edilir.
22.  
23. TLS section ELF prosesinde
24.  
25. (An initialized thread-local variable is allocated in a .tbss, or .tdata section.)
26. ELF handling for TLS handling dokumentasiyasında qeyd edildiyi kimi (.tdata section-da yerləşir)
27.  
28.  
29. = http://people.redhat.com/mpolacek/src/devconf2012.pdf =
30.  
31.  
32. => [18] .tdata PROGBITS 08049f00 000f00 000008 00 WAT 0 0 4
33. [19] .tbss NOBITS 08049f08 000f08 000008 00 WAT 0 0 4
34.  
35.  
36. Field
37. sh_name .tbss .tdata
38. sh_type SHT NOBITS SHT PROGBITS
39. sh_flags SHF ALLOC +SHF WRITE + SHF TLS SHF ALLOC +SHF WRITE + SHF TLS
40. sh_addr virtual address of section virtual address of section
41. sh_offset 0 file offset of initialization image
42. sh_size size of section size of section
43. sh_link SHN UNDEF SHN UNDEF
44. sh_info 0 0
45. sh_addralign alignment of section alignment of section
46. sh_entsize 0 0
47.  
48.  
49. elf TLS reference: www.akkadia.org/drepper/tls.pdf
50.  
51. linux initialize stack canary:
52.  
53.  
54. 50 #define GDT_STACK_CANARY_INIT \
55. 51 [GDT_ENTRY_STACK_CANARY] = { { { 0x00000018, 0x00409000 } } },
56.  
57.  
58. TLS-dən istənilən value GDT(global descriptor table) entry dəyərinə görə fetch edilə bilir.
59.  
60. GDT index = ) mov %gs:20,%eax (vvith ATM syntax)
61.  
62.  
63. |-------------|
64. |İndex : 2 |
65. |-------------|
66. |Start: 0x0066| =========== ) |MEMORY|
67. |-------------|
68. | len: 0xfff |
69. |-------------|
70. GDT
71.  
72.  
73. qaçaraq marşşşşşşşşşşşş
74.  
75. first step TLS support
76. 21 void check_host_supports_tls(int *supports_tls, int *tls_min)
77. 22 {
78. 23 /* Values for x86 and x86_64.*/
79. 24 int val[] = {GDT_ENTRY_TLS_MIN_I386, GDT_ENTRY_TLS_MIN_X86_64};
80. 25 int i;
81. 26
82. 27 for (i = 0; i < ARRAY_SIZE(val); i++) {
83. 28 user_desc_t info;
84. 29 info.entry_number = val[i];
85. 30
86. 31 if (syscall(__NR_get_thread_area, &info) == 0) {
87. 32 *tls_min = val[i];
88. 33 *supports_tls = 1;
89. 34 return;
90. 35 } else {
91. 36 if (errno == EINVAL)
92. 37 continue;
93. 38 else if (errno == ENOSYS)
94. 39 *supports_tls = 0;
95. 40 return;
96. 41 }
97. 42 }
98. 43
99. 44 *supports_tls = 0;
100. 45 }
101.  
102. defined file http://lxr.free-electrons.com/source/arch/x86/um/shared/sysdep/tls.h#L35
103.  
104. 34 #ifdef __i386__
105. 35 #define GDT_ENTRY_TLS_MIN_I386 6 ((
106. 36 #define GDT_ENTRY_TLS_MIN_X86_64 12
107. 37 #endif
108. 32 bit maşında
109.  
110. binary (ABI) based
111. file: http://lxr.free-electrons.com/source/arch/x86/um/os-Linux/tls.c#L58
112.  
113. 47 int os_set_thread_area(user_desc_t *info, int pid)
114. 48 {
115. 49 int ret;
116. 50
117. 51 ret = ptrace(PTRACE_SET_THREAD_AREA, pid, info->entry_number,
118. 52 (unsigned long) info);
119. 53 if (ret < 0)
120. 54 ret = -errno;
121. 55 return ret;
122. 56 }
123.  
124.  
125. kernel based
126.  
127. generasiya prosesi:
128.  
129. 59 static __always_inline void boot_init_stack_canary(void)
130. 60 {
131. 61 u64 canary;
132. 62 u64 tsc;
133. 63
134. 64 #ifdef CONFIG_X86_64
135. 65 BUILD_BUG_ON(offsetof(union irq_stack_union, stack_canary) != 40);
136. 66 #endif
137. 67 /*
138. 68 * We both use the random pool and the current TSC as a source
139. 69 * of randomness. The TSC only matters for very early init,
140. 70 * there it already has some randomness on most systems. Later
141. 71 * on during the bootup the random pool has true entropy too.
142. 72 */
143. 73 get_random_bytes(&canary, sizeof(canary));
144. 74 tsc = __native_read_tsc();
145. 75 canary += tsc + (tsc << 32UL);
146. 76
147. 77 current->stack_canary = canary;
148. 78 #ifdef CONFIG_X86_64
149. 79 percpu_write(irq_stack_union.stack_canary, canary);
150. 80 #else
151. 81 percpu_write(stack_canary.canary, canary);
152. 82 #endif
153. 83 }
154.  
155.  
156.  
157. 85 static inline void setup_stack_canary_segment(int cpu)
158. 86 {
159. 87 #ifdef CONFIG_X86_32
160. 88 unsigned long canary = (unsigned long)&per_cpu(stack_canary, cpu);
161. 89 struct desc_struct *gdt_table = get_cpu_gdt_table(cpu);
162. 90 struct desc_struct desc;
163. 91
164. 92 desc = gdt_table[GDT_ENTRY_STACK_CANARY];
165. 93 desc.base0 = canary & 0xffff;
166. 94 desc.base1 = (canary >> 16) & 0xff;
167. 95 desc.base2 = (canary >> 24) & 0xff;
168. 96 write_gdt_entry(gdt_table, GDT_ENTRY_STACK_CANARY, &desc, DESCTYPE_S);
169. 97 #endif
170. 98 }
171.  
172.  
173. SNiPPET asm code
174.  
175. ================= ) xorl %gs:20, %edx
176.  
177.  
178. |-----------------------------------|
179. | function param |
180. |-----------------------------------|
181. | (RET) |
182. |-----------------------------------|
183. | canary (get_rand_byte :D ) | === ) canary says: məni spavvn etsən xuy gedərsən yuxarı (pushhhhhhhhh)
184.  
185.  
186. |-----------------------------------|
187. | frame pointer |
188. |-----------------------------------|
189. | vars |
190. |-----------------------------------|
191.  
192.  
193. 73 void __stack_chk_guard_setup(void)
194. 74 {
195. 75 __stack_chk_guard = 0x000a0dff;
196. 76 }
197. 77