/dev/mem的访问权限
我有一系列关于 /dev/mem 的问题:
网上的许多文章,似乎都将
/dev/mem视为通往的网关”物理内存”。但如果我是对的,/dev/mem是通往处理器“物理地址空间”的网关,其中可能包括许多硬件外设的控制寄存器,而不仅仅是硬件外设的控制寄存器。内存?如果我错了,请纠正我!为了防止攻击者滥用
/dev/mem并更改内核内存,需要启用CONFIG_STRICT_DEVMEM标志,这将阻止用户应用访问物理地址空间超过1MB。我检查了我的 PC (Ubuntu) 上的配置文件,发现CONFIG_STRICT_DEVMEM = y。我编写了一个程序,尝试读取超过 1 MB 的物理内存,并且我能够读取!没有分段错误或任何不允许操作错误。这怎么可能?
我的程序大致是这样的:
fd = open ( "/dev/mem", O_RDWR);
ptr = (int*) mmap(0, MAP_SIZE, PROT_READ, fd, myAddress & (~MAP_MASK));
printf("%d", *ptr);
I have a set of questions regarding /dev/mem:
Many articles on the net, seem to refer
/dev/memas the gateway to"Physical RAM". But if I am right,/dev/memis the gateway to the"Physical Address Space"of the processor which might include control registers of many HW peripherals and not just the RAM? Please, correct me if I am wrong!In order to prevent attackers from misusing
/dev/memand altering kernel memory, a flagCONFIG_STRICT_DEVMEMneeds to be enabled which will prevent user apps from accessing physical address space beyond 1MB. I checked the config file on my PC (Ubuntu) and found thatCONFIG_STRICT_DEVMEM = y. And I wrote a program which tries to read to physical memory beyond 1 MB and I was able to read! No segmentation fault or anyOperation NOT Permittederror. How is this possible?
My program roughly looks like this:
fd = open ( "/dev/mem", O_RDWR);
ptr = (int*) mmap(0, MAP_SIZE, PROT_READ, fd, myAddress & (~MAP_MASK));
printf("%d", *ptr);
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
是的,你没看错,/dev/mem 允许你映射任何物理地址,包括非 RAM 内存映射的 IO。这对于在不编写内核驱动程序的情况下访问某些硬件设备的快速而肮脏的黑客很有用。
CONFIG_STRICT_DEVMEM 使用
arch/x86/mm/init.c中的devmem_is_allowed()使内核检查 /dev/mem 中的地址,其中的注释解释道:< /p>您的地址
0xFFFF0000很可能不是RAM,因为BIOS通常将IO内存设置为略低于4GB,因此即使使用STRICT_DEVMEM,您也能够映射它。Yes, you're right, /dev/mem allows you to map any physical address, including non-RAM memory mapped IO. This can can be useful for a quick and dirty hack to access some hardware device without writing a kernel driver.
CONFIG_STRICT_DEVMEM makes the kernel check addresses in /dev/mem with
devmem_is_allowed()inarch/x86/mm/init.c, and the comment there explains:your address
0xFFFF0000is quite likely to be non-RAM, since BIOSes typically put IO memory just below 4GB, so that's why you're able to map it even with STRICT_DEVMEM.下面的结果是什么:
我得到:
所以对我来说它确实停在 1MB。
请注意,cat 使用 open,而不是 mmap,因此它不是相同的测试。
您确定您阅读的内容超过 1MB 吗?
What does the follow yield:
I get:
So for me it does stop at 1MB.
Note that cat uses open, not mmap so its not an identical test.
Are you sure you're reading beyond 1MB?