0.
内核态要修改代码段(.text)或者const常量等只读区,通常是通过修改cr0寄存器的wp比特位,关闭只读页面的写保护。
其实反过来想,如果不关闭写保护,而改变页面的读写属性,将只读页面属性改为可读写的,应该可以同样达到目的。
1.
写完也算对页表有个交代,内核包装太多(其实这部分和0.11差不多),看着太烦
2.(可怜我虚拟机dump_stack了N次,还好我从中慢慢学会看内核调试信息了:)
给出关键代码,可以拿此在替换系统调用之前使用,这样内核不会报页面保护错误。
通过内核虚拟地址addr找寻他在内存中的pte项目,再将其读写位置1(PAGE_RW == 2 , pte的bit-1位)
这个是从dump_stack中分离改进的代码(内核宏看着就是舒服)
unsigned int enable_write(unsigned int addr)
{
pgd_t *base = __va(read_cr3());
pgd_t *pgd = &base[pgd_index(addr)];
pmd_t *pmd;
pte_t *pte;
pmd = pmd_offset(pud_offset(pgd,addr), addr);
printk(KERN_ALERT "*pde:0x%x/n", (unsigned int)pmd->pud.pgd.pgd);
pte = pte_offset_kernel(pmd,addr);
pte->pte_low = pte->pte_low | PAGE_RW;
printk(KERN_ALERT "*pte:0x%x/n", (unsigned int)pte->pte_low);
local_flush_tlb();
sync_core();
return 0;
}
下面这个和上面效果相同,纯手工修改pte,个中辛酸只有自己能体会了(两处0xc0000000搞死自己了!),代码也是相当的丑:P
unsigned int enable_write(unsigned int addr)
{
unsigned int ps;
unsigned int *pt;
unsigned int *pte_base;
unsigned int *pte;
unsigned int ret;
asm volatile ("movl %%cr3, %%eax":"=a"(ps):);
pt = (unsigned int *)(0xc0000000 + (ps + ((addr >> 20) & 0xffc)));
printk(KERN_ALERT "*pgd:0x%x/n", *pt);
pte_base = (unsigned int *)(((*pt) & 0xfffff000) + 0xc0000000);
pte = &pte_base[(addr >> 12) & 0x3ff];
printk(KERN_ALERT "*pte:0x%x/n", *pte);
ret = *pte;
*pte = (*pte) | 2;
__flush_tlb_one((unsigned long)addr);
printk(KERN_ALERT "*pte:0x%x/n", *pte);
return ret;
}