Pass data from userland to kernel using VDSO

[emixam]

Hello,

For research purpose, I added some custom VDSO in my 2.6 kernel following this tutorial https://www.linuxjournal.com/content/cr ... er-chicken. I'm trying to pass data from the userland to the kernel. (Yes, in this direction. I know this is extremely bad from a security perspective but that's intentional. I'm literally trying to break the vdso’s security).

So I'm trying to do one of the following:
1) Disable the read-only protection of the userland variable to be able to modify this (as the kernel variable points on the same location than the user one, I will just have to check for modification in the kernel).

=> To make this work I added the VM_WRITE flag to install_special_mapping in arch_setup_additional_pages(…) from vma.c but this is not enough. I still get an unpleasant segfault when i try to increment my variable in my vdso.

2) Be notified in the kernel when the vdso have been called (maybe using an hardware breakpoint or something like that) so I can execute some code only in this case

=> I’m not sure that it is possible to create in kernelmode a breakpoint running a specific callback when ANY process executes the vdso function.

3) Maybe there is a simpler way?

I would gladly appreciate any thoughts on this problem

Thanks for your help.

[lkurusa]

Hi,

Note that this forum isn't for Linux development, it's for people writing their own operating systems.

To stay on topic, why are you trying to do this on an ancient 2.6 Linux?

[emixam]

Hi,

Note that this forum isn't for Linux development, it's for people writing their own operating systems.

I thought this forum was appropriated as I'm trying to build a custom kernel. Sorry if it's not the case.

To stay on topic, why are you trying to do this on an ancient 2.6 Linux?

The tutorial I used about VDSO is quite old and made for Linux 2.6. But since this time, the way to declare a vdso changed a lot and is quite under documented. As it’s just a PoC I’ve chosen to make it work first in a 2.6 kernel then try to “reverse enginer” the changes to make it work on a 4.x kernel. But if you think that I’ll solve my problem more easily on a recent Kernel, I can make the adaptations now.

To come back to my problem, I’m more and more convinced that the best way would be to let modify the variable from the userland. But as stated in my first post when I remove the protection (by adding VM_WRITE) I still segfault with code 7 when executing my vdso. I tried to change several other variables unsuccessfully.

I looked for a const like VM_MAYNOTWRITE in the code but this one is not defined in my version and I did not find any equivalent.

Do you have an idea how to remove write protection on that specific area?

[Nutterts]

Note that this forum isn't for Linux development, it's for people writing their own operating systems.

I thought this forum was appropriated as I'm trying to build a custom kernel. Sorry if it's not the case.

It's not so much that it's inapprocriate to ask this question here. But agree this forum isn't the best place because you have a better chance to find someone with this specific skillset in a linux kernel related dev forum.