     Linux 2.1.8 ˤ륫ͥ٥㳰
  Joerg Pommnitz <joerg@raleigh.ibm.com> ˤ

  ͥ⡼ɤưƤȤץϤФСѤǤʤ
ץफϤ줿ɥ쥹ˤ桼⡼ɥ˥
ɬפޤͥϼȤݸ뤿ᡢΥɥ쥹
Ĵ٤ʤФʤޤ

  ŤС Linux ǤϡκȤ

    int verify_area(int type, const void * addr, unsigned long size)

ȤؿǤʤƤޤ

  δؿϡɥ쥹 addr ǻϤޤꡢsize ĥΰ
type ǻꤷ (read ⤷ write) ǥ뤳Ȥǽ
ɤǧƤޤ򤪤ʤᡢverify_read ϥɥ쥹
addr ޤಾۥΰ (vma) õʤФʤޤǤ̾
ξ (ץबưƤ)ΥƥȤƤ
ԤΤϡХޤץоݤȤƤȤǤ
ĤΥͥץե󥰥ƥȤˤơ̾ɬפȤʤ
γǧȤϡʤ¿λ֤񤷤Ƥޤ

  ξ뤿ᡢLinus ϡLinux ưǽ CPU Ƥ
äƤ벾ۥѥϡɥˡΥƥȤ򤪤ʤ碌뤳Ȥ
ޤ

  ϤɤΤ褦ưΤǤ礦?

  ͥ뤬λǥԲĤǤ륢ɥ쥹˥ߤȡ
CPU ɬڡե㳰arch/i386/mm/fault.c ˤ
ڡեȥϥɥ

    void do_page_fault(struct pt_regs *regs, unsigned long error_code)

ƤӤޤåΥѥ᡼ arch/i386/kernel/entry.S 
٥륢֥ꥳɤˤäޤѥ᡼ regs 
å¸줿쥸ؤݥ󥿤ǡerror_code 㳰
ͳ򼨤ɤޤǤޤ
(do_page_fault ΥȤ
   error_code:
        bit 0 == 0  ڡʤ1 ݸˤե
        bit 1 == 0  read, 1  write
        bit 2 == 0  ͥ롢1 ϥ桼⡼
)

  do_page_fault ϺǽˡCPU ȥ쥸 CR2 饢
ǽǤäɥ쥹ޤ⤷Υɥ쥹ץ
ۥɥ쥹ΤΤǤСեȤϤ餯ڡ
åץ󤵤ƤʤäԲĤǤäȤ褦ͳ
äΤǤ礦ʤ顢䤿ؿäƤΤϡ
ǤϤʤ ɥ쥹ͭǤʤ硢ĤޤꡢΥɥ쥹ޤ
ۥΰ褬¸ߤʤ硢ǤΤ褦ʾ硢ͥ
bad_area ٥˥פޤ

  ǡͥϡ¹Ԥ³뤳Ȥǽʥɥ쥹 (fixup ) 
Ĥ뤿ᡢ㳰̿Υɥ쥹 (Ĥޤ regs->eip) Ȥ
ޤθСեȥϥɥϥ꥿󥢥ɥ쥹 (
regs->eip) ꥿󤷤ޤ¹Ԥ fixup Υɥ쥹Ƿ³
ޤ
( do_page_fault μΥɤΤǤ
        if ((fixup = search_exception_table(regs->eip)) != 0) {
                regs->eip = fixup;
                return;
        }
)

  fixup ϤɤؤƤΤǤ礦?

  䤿 fixup ˥פΤǤ顢fixup 餫˼¹Բǽ
ɤؤƤޤΥɤϥ桼˥ޥ
˱ƤޤȤơinclude/asm/unaccess.h Ƥ
get_user ޥ夲뤳ȤˤޤɤΤ
äѤʤΤǡץץåȥѥˤä줿ɤ
Ƥߤ뤳Ȥˤޤ礦ܤͻ뤿ˡ
drivers/char/console.c  get_user θƽФӤޤ

  console.c 1405  θΥ 

        get_user(c, buf);

  ץץåν (ɤߤ䤹뤿ԽƤޤ) 

(
  {
    long __gu_err = - 14 , __gu_val = 0;
    const __typeof__(*( (  buf ) )) *__gu_addr = ((buf));
    if (((((0 + current_set[0])->tss.segment) == 0x18 )  ||
       (((sizeof(*(buf))) <= 0xC0000000UL) &&
       ((unsigned long)(__gu_addr ) <= 0xC0000000UL - (sizeof(*(buf)))))))
      do {
        __gu_err  = 0;
        switch ((sizeof(*(buf)))) {
          case 1:
            __asm__ __volatile__(
              "1:      mov" "b" " %2,%" "b" "1\n"
              "2:\n"
              ".section .fixup,\"ax\"\n"
              "3:      movl %3,%0\n"
              "        xor" "b" " %" "b" "1,%" "b" "1\n"
              "        jmp 2b\n"
              ".section __ex_table,\"a\"\n"
              "        .align 4\n"
              "        .long 1b,3b\n"
              ".text"        : "=r"(__gu_err), "=q" (__gu_val): "m"((*(struct __large_struct *)
                            (   __gu_addr   )) ), "i"(- 14 ), "0"(  __gu_err  )) ;
              break;
          case 2:
            __asm__ __volatile__(
              "1:      mov" "w" " %2,%" "w" "1\n"
              "2:\n"
              ".section .fixup,\"ax\"\n"
              "3:      movl %3,%0\n"
              "        xor" "w" " %" "w" "1,%" "w" "1\n"
              "        jmp 2b\n"
              ".section __ex_table,\"a\"\n"
              "        .align 4\n"
              "        .long 1b,3b\n"
              ".text"        : "=r"(__gu_err), "=r" (__gu_val) : "m"((*(struct __large_struct *)
                            (   __gu_addr   )) ), "i"(- 14 ), "0"(  __gu_err  ));
              break;
          case 4:
            __asm__ __volatile__(
              "1:      mov" "l" " %2,%" "" "1\n"
              "2:\n"
              ".section .fixup,\"ax\"\n"
              "3:      movl %3,%0\n"
              "        xor" "l" " %" "" "1,%" "" "1\n"
              "        jmp 2b\n"
              ".section __ex_table,\"a\"\n"
              "        .align 4\n"        "        .long 1b,3b\n"
              ".text"        : "=r"(__gu_err), "=r" (__gu_val) : "m"((*(struct __large_struct *)
                            (   __gu_addr   )) ), "i"(- 14 ), "0"(__gu_err));
              break;
          default:
            (__gu_val) = __get_user_bad();
        }
      } while (0) ;
    ((c)) = (__typeof__(*((buf))))__gu_val;
    __gu_err;
  }
);

  ! GCC/֥ιѤǤɤΤԲǽǤΤǡ
gcc 륳ɤ򸫤Ƥߤ뤳Ȥˤޤ礦

 >         xorl %edx,%edx
 >         movl current_set,%eax
 >         cmpl $24,788(%eax)
 >         je .L1424
 >         cmpl $-1073741825,64(%esp)
 >         ja .L1423
 > .L1424:
 >         movl %edx,%eax
 >         movl 64(%esp),%ebx
 > #APP
 > 1:      movb (%ebx),%dl                /* 줬ºݤΥ桼Ǥ */
 > 2:
 > .section .fixup,"ax"
 > 3:      movl $-14,%eax
 >         xorb %dl,%dl
 >         jmp 2b
 > .section __ex_table,"a"
 >         .align 4
 >         .long 1b,3b
 > .text
 > #NO_APP
 > .L1423:
 >         movzbl %dl,%esi

  ץƥޥɤŻ򤷤Ƥޤƻ䤿Ūǽ
ǤΤ󶡤ƤޤǤޤ? ºݤΥ桼ؤ
϶ˤǤ줵줿ɥ쥹֤Τǡ䤿ϥ桼
Υɥ쥹˥뤳ȤǤޤ.section ϲ
ΤǤ礦?????

  򤹤뤿ᡢ۸ΥͥƤߤɬפޤ 

 > objdump --section-headers vmlinux
 >
 > vmlinux:     file format elf32-i386
 >
 > Sections:
 > Idx Name          Size      VMA       LMA       File off  Algn
 >   0 .text         00098f40  c0100000  c0100000  00001000  2**4
 >                   CONTENTS, ALLOC, LOAD, READONLY, CODE
 >   1 .fixup        000016bc  c0198f40  c0198f40  00099f40  2**0
 >                   CONTENTS, ALLOC, LOAD, READONLY, CODE
 >   2 .rodata       0000f127  c019a5fc  c019a5fc  0009b5fc  2**2
 >                   CONTENTS, ALLOC, LOAD, READONLY, DATA
 >   3 __ex_table    000015c0  c01a9724  c01a9724  000aa724  2**2
 >                   CONTENTS, ALLOC, LOAD, READONLY, DATA
 >   4 .data         0000ea58  c01abcf0  c01abcf0  000abcf0  2**4
 >                   CONTENTS, ALLOC, LOAD, DATA
 >   5 .bss          00018e21  c01ba748  c01ba748  000ba748  2**2
 >                   ALLOC
 >   6 .comment      00000ec4  00000000  00000000  000ba748  2**0
 >                   CONTENTS, READONLY
 >   7 .note         00001068  00000ec4  00000ec4  000bb60c  2**0
 >                   CONTENTS, READONLY

  줿֥ȥեˤϡɸŪǤʤ ELF 
餫ˤդ¸ߤޤޤϤˡ۸μ¹Բǽ
ͥΥɤ˲äΤȻפޤ

 > objdump --disassemble --section=.text vmlinux
 >
 > c017e785 <do_con_write+c1> xorl   %edx,%edx
 > c017e787 <do_con_write+c3> movl   0xc01c7bec,%eax
 > c017e78c <do_con_write+c8> cmpl   $0x18,0x314(%eax)
 > c017e793 <do_con_write+cf> je     c017e79f <do_con_write+db>
 > c017e795 <do_con_write+d1> cmpl   $0xbfffffff,0x40(%esp,1)
 > c017e79d <do_con_write+d9> ja     c017e7a7 <do_con_write+e3>
 > c017e79f <do_con_write+db> movl   %edx,%eax
 > c017e7a1 <do_con_write+dd> movl   0x40(%esp,1),%ebx
 > c017e7a5 <do_con_write+e1> movb   (%ebx),%dl
 > c017e7a7 <do_con_write+e3> movzbl %dl,%esi

  桼ؤΥΤ10 Ĥ x86 ޥ̿ˤʤä
ޤ.section ̿ˤ줿̿ᷲϡϤ̾μ¹ԥѥ
ǤϤޤ󡣤ϡ¹Բǽեΰۤʤ륻
Ƥޤ 

 > objdump --disassemble --section=.fixup vmlinux
 >
 > c0199ff5 <.fixup+10b5> movl   $0xfffffff2,%eax
 > c0199ffa <.fixup+10ba> xorb   %dl,%dl
 > c0199ffc <.fixup+10bc> jmp    c017e7a7 <do_con_write+e3>


  ƺǸ 

 > objdump --full-contents --section=__ex_table vmlinux
 >
 >  c01aa7c4 93c017c0 e09f19c0 97c017c0 99c017c0  ................
 >  c01aa7d4 f6c217c0 e99f19c0 a5e717c0 f59f19c0  ................
 >  c01aa7e4 080a18c0 01a019c0 0a0a18c0 04a019c0  ................

  ⤷ϡʹ֤ɤळȤΤǤХȥѴ 

 >  c01aa7c4 c017c093 c0199fe0 c017c097 c017c099  ................
 >  c01aa7d4 c017c2f6 c0199fe9 c017e7a5 c0199ff5  ................
                               ^^^^^^^^^^^^^^^^^
                               򤤤ȤǤ!
 >  c01aa7e4 c0180a08 c019a001 c0180a0a c019a004  ................

  äΤǤ礦? ֥굿̿Ǥ

.section .fixup,"ax"
.section __ex_table,"a"

ϡ³ɤ ELF ֥ȥեλꤵ줿
ư褦ˤȡ֥˻ؼޤΤᡢ

3:      movl $-14,%eax
        xorb %dl,%dl
        jmp 2b

Ȥ̿ϡǽŪ˥֥ȥե .fixup ˹Ԥ

        .long 1b,3b

Ȥɥ쥹ϡ֥ȥե __ex_table 
Ԥޤ1b  3b ϥ٥Ǥ٥ 1b (1b 
äƼΥ٥ 1 ̣ޤ) ϥեȤ뤫⤷ʤ
̿Υɥ쥹ǡĤޤꡢ䤿ξϥ٥ 1 Υɥ쥹
c017e7a5 Ȥʤޤ 

Υ֥ꥳ: > 1:      movb (%ebx),%dl
vmlinux ˥󥯸  : > c017e7a5 <do_con_write+e1> movb   (%ebx),%dl

  ٥ 3 (ٸˡˤϥեȤ򰷤ɤΥɥ쥹ǡ
䤿Ǥϡμºݤͤ c0199ff5 Ǥ 

Υ֥ꥳ: > 3:      movl $-14,%eax
vmlinux ˥󥯸  : > c0199ff5 <.fixup+10b5> movl   $0xfffffff2,%eax

  ֥ꥳ

 > .section __ex_table,"a"
 >         .align 4
 >         .long 1b,3b

ϡͥ㳰ơ֥ͤ

 >  c01aa7d4 c017c2f6 c0199fe9 c017e7a5 c0199ff5  ................
                               ^줬  ^줬
                               1b       3b

c017e7a5,c0199ff5 Ȥʤޤ

 (__ex_table ˤϡɥ쥹򥢥ǽ
̿ؤΥݥ󥿡פȡɥ쥹顼뤿̿ؤ
ݥ󥿡פդĤǰȤȤƤꡢĤ¤٤Ƥޤơ
ɥ쥹顼뤿̿Τϡ__ex_table 
ǤϤʤ.fixup ¸ߤޤ__ex_table .fixup
Υȥϡ桼򻲾Ȥޥ (get_user ʤ) 
Ҥ뤿ӤäƤޤ)

  ơŬڤʲۥΰʤͥ⡼ɤΥեȤ
ȯ硢ºݤˤϲΤǤ礦

1.) ʥɥ쥹˥ 
 > c017e7a5 <do_con_write+e1> movb   (%eax),%dl
2.) MMU 㳰
3.) CPU  do_page_fault ƤӽФ
4.) do_page_fault  search_exception_table ƤӽФ (Ǥϡ
    regs->eip ͤ c017e7a5)
5.) search_exception_table 㳰ơ֥ (㳰ơ֥ȤϡĤޤ
    ELF  __ex_table ƤΤ) ǡɥ쥹 c017e7a5 
    õեȥϥɥ륳ɤΥɥ쥹 c0199ff5 ֤ޤ
    (search_exception_table 㳰ơ֥ǡɥ쥹
    ǽΤ̿ؤΥݥ󥿡ͤ c0177e7a5 Ǥ
    ȥõΥȥΡɥ쥹顼뤿
    ̿ؤΥݥ󥿡 c0199ff5 ֤ޤ)
6.) do_page_fault ϼȤΥ꥿󥢥ɥ쥹򡢥եȥϥɥ륳ɤ
    ؤ褦˽꥿󤷤ޤ
7.) եȤ륳Ǽ¹Ԥ³ޤ
8.) 8a) EAX  -EFAULT (== -14) ˤʤޤ
    8b) DL    ˤʤޤ (桼֤ "read" )
    8c) ٥ 2 (եȤ򵯤Ƥ桼
        ̿Υɥ쥹) Ǽ¹Ԥ³ޤ

  8a  8c ޤǤΥƥåפϡեȤ򵯤̿򥨥ߥ졼
ޤ

  ʾǤ⤷ʤ䤿򸫤ƤʤСʤ㳰
ϥɥΥɤ EAX  -EFAULT ꤵƤΤ䤷
ʤ뤫⤷ޤ󡣤ȡºݤΤȤ桼ؤΥ
Ƥ get_user ޥ 0 ֤ԤƤ -EFAULT 
֤ޤ䤿Υꥸʥ륳ɤǤϤͤƥȤޤǤ
get_user ޥΥ饤󥢥֥ꥳɤ -EFAULT ֤
ȤƤޤGCC Ϥ֤ͤ EAX Ȥ櫓Ǥ

ա
㳰ơ֥ιˡӡ֤¤٤ȤɬΤᡢ㳰
.text ΥɤǤΤ߻Ȥ褦ˤޤ¾ΤɤΥ⡢
㳰ơ֥ȤƤʤ֤ˤƤޤΤǡ㳰ϼ
Ǥ礦


JF ץ
ԡ ɧ
