时间戳

首页 > 解决方案 > C Linux内核页面干扰以前的变量

c - C Linux内核页面干扰以前的变量

问题描述

我想挂read在linux内核中以实现显示哪个进程读取/home/xytao/safe目录中的文件。

// get absolute file path from file struct
char *get_filename(struct file *file)
{
    char *buf = (char *)__get_free_page(GFP_KERNEL);
    if (!buf)
    {
        return NULL;
    }
    char *filename = dentry_path_raw(file->f_path.dentry, buf, PAGE_SIZE - 1);
    if (IS_ERR(filename))
    {
        free_page((unsigned long)buf);
        return NULL;
    }
    free_page((unsigned long)buf);
    return filename;
}

asmlinkage ssize_t fake_read(int __fd, void *__buf, size_t __nbytes)
{
    char *pathname;
    struct file *file;
    struct path *path;
    struct files_struct *files = current->files;
    spin_lock(&files->file_lock);
    file = fcheck_files(files, __fd);
    if (!file)
    {
        spin_unlock(&files->file_lock);
        return -ENOENT;
    }
    spin_unlock(&files->file_lock);
    ssize_t out = real_read(__fd, __buf, __nbytes);
    pathname=get_filename(file);
    if (!strncmp(pathname, "/home/xytao/safe", 15))
    {   fm_alert("pathname_before:%s\n", pathname);
        struct file *process_file = get_task_exe_file(current);
        fm_alert("process_name:%s\n", get_filename(process_file));
        fm_alert("pathname_after:%s\n:", pathname);    
    }
    return out;
}

但似乎pathname在获取进程名称后已更改,并且pathname已被get_filename(process_file).

例如,在我打开之后/home/xytao/safe/test,我得到以下输出:

[ 1181.179485] fsmonko.fake_read: pathname_before:/home/xytao/safe/test
[ 1181.179488] fsmonko.fake_read: process_name:/usr/bin/gedit
[ 1181.179490] fsmonko.fake_read: pathname_after:/home/x/usr/bin/gedit
           :
[ 1181.181590] fsmonko.fake_read: pathname_before:/home/xytao/safe/test
[ 1181.181594] fsmonko.fake_read: process_name:/usr/bin/gedit
[ 1181.181595] fsmonko.fake_read: pathname_after:/home/x/usr/bin/gedit
           :
[ 1181.190503] fsmonko.fake_read: pathname_before:/home/xytao/safe/test
[ 1181.190509] fsmonko.fake_read: process_name:/usr/bin/gedit
[ 1181.190511] fsmonko.fake_read: pathname_after:/home/x/usr/bin/gedit
           :
[ 1197.523906] fsmonko.fake_read: pathname_before:/home/xytao/safe/test
[ 1197.523915] fsmonko.fake_read: process_name:/usr/bin/nautilus

如何解决这个问题?

标签: clinuxlinux-kernelkernelrootkit

解决方案

dentry_path_raw不为您分配文件名(字符串);它将它复制到您提供的内存缓冲区中。当您释放该页面时,文件名已成为悬空引用。free_page如果您在引用它时出现页面错误会更好,但是如果立即更新页面映射,则会有性能代价。

文件名将指向您提供的缓冲区中间的某个位置,因此您可以通过以下方式在调用者中释放它:

free_page((uintptr_t)filename & PAGE_MASK);

推荐阅读