notebook
0x01 题目分析
run.sh脚本如下:
#!/bin/sh
qemu-system-x86_64
-m 64M \
-kernel bzImage \
-initrd rootfs.cpio \
-append "loglevel=3 console=ttyS0 oops=panic panic=1 kaslr" \
-nographic \
-net user \
-net nic \
-device e1000 \
-smp cores=2,threads=2 \
-cpu kvm64,+smep,+smap \
-monitor /dev/null 2>/dev/null \
-s
保护措施开启了kaslr,smep,smap,值得注意的是这里开启了cores=2,thread=2,有可能是条件竞争类题型。
mynote_read函数:
ssize_t __fastcall mynote_read(file *file, char *buf, size_t idx, loff_t *pos)
{
unsigned __int64 idxx; // rdx
unsigned __int64 v5; // rdx
size_t size; // r13
void *note1; // rbx
ssize_t result; // rax
_fentry__();
if ( idxx > 0x10 )
{
printk("[x] Read idx out of range.\n", buf);
result = -1LL;
}
else
{
v5 = idxx;
size = notebook[v5].size;
note1 = notebook[v5].note;
_check_object_size(note1, size, 1LL);
copy_to_user(buf, note1, size);
printk("[*] Read success.\n");
result = 0LL;
}
return result;
}
mynote_write函数
ssize_t __fastcall mynote_read(file *file, char *buf, size_t idx, loff_t *pos)
{
unsigned __int64 idxx; // rdx
unsigned __int64 v5; // rdx
size_t size; // r13
void *note1; // rbx
ssize_t result; // rax
_fentry__();
if ( idxx > 0x10 )
{
printk("[x] Read idx out of range.\n", buf);
result = -1LL;
}
else
{
v5 = idxx;
size = notebook[v5].size;
note1 = notebook[v5].note;
_check_object_size(note1, size, 1LL);
copy_to_user(buf, note1, size);
printk("[*] Read success.\n");
result = 0LL;
}
return result;
}
noteadd函数
__int64 __fastcall noteadd(size_t idx, size_t size, void *buf)
{
__int64 v3; // rdx
__int64 buff; // r13
note *chunk; // rbx
size_t size1; // r14
__int64 v7; // rbx
_fentry__();
if ( idx > 0xF )
{
v7 = -1LL;
printk("[x] Add idx out of range.\n", size);
}
else
{
buff = v3;
chunk = ¬ebook[idx];
raw_read_lock(&lock);
size1 = chunk->size;
chunk->size = size;
if ( size > 0x60 )
{
chunk->size = size1;
v7 = -2LL;
printk("[x] Add size out of range.\n");
}
else
{
copy_from_user(name, buff, 0x100LL);
if ( chunk->note )
{
chunk->size = size1;
v7 = -3LL;
printk("[x] Add idx is not empty.\n");
}
else
{
chunk->note = (void *)_kmalloc(size, 0x24000C0LL);
printk("[+] Add success. %s left a note.\n", name);
v7 = 0LL;