本文详细探讨了Linux内核中的tty_struct结构体,从ptmx的定义到write执行流程,分析了如何利用tty_struct进行内核级别的漏洞利用。文章通过fake_ops构造、kernel ROP技术,展示了在安全上下文中如何绕过SMEP保护进行提权。
kernel tty_struct exp
文章目录
tty_struct
Linux下一个特殊的驱动文件,是默认集成在linux中的, 代码在driver/tty文件夹。主要文件在 pty.c,
ptmx
可以看到其对应的 file_operations结构,定义为ptmx_fops,
然后可以看到对应的__init函数,驱动载入的初始化代码在 unix98_pty_init函数,
在此函数最后, 设置了文件 "/dev/ptmx",
在这里也可以看到我们的ptmx_fops.open被设置为了 ptmx_open函数,
定义
我们的主角: struct tty_struct结构体定义在 include/linux/tty.h,
其实唯一需要注意的是第四位的ops: const struct tty_operations *ops;,
struct tty_struct {
int magic;
struct kref kref;
struct device *dev;
struct tty_driver *driver;
const struct tty_operations *ops;
int index;
/* Protects ldisc changes: Lock tty not pty */
struct ld_semaphore ldisc_sem;
struct tty_ldisc *ldisc;
struct mutex atomic_write_lock;
struct mutex legacy_mutex;
struct mutex throttle_mutex;
struct rw_semaphore termios_rwsem;
struct mutex winsize_mutex;
spinlock_t ctrl_lock;
spinlock_t flow_lock;
/* Termios values are protected by the termios rwsem */
struct ktermios termios, termios_locked;
struct termiox *termiox; /* May be NULL for unsupported */
char name[64];
struct pid *pgrp; /* Protected by ctrl lock */
struct pid *session;
unsigned long flags;
int count;
struct winsize winsize; /* winsize_mutex */
unsigned long stopped:1, /* flow_lock */
flow_stopped:1,
unused:BITS_PER_LONG - 2;
int hw_stopped;
unsigned long ctrl_status:8, /* ctrl_lock */
packet:1,
unused_ctrl:BITS_PER_LONG - 9;
unsigned int receive_room; /* Bytes free for queue */
int flow_change;
struct tty_struct *link;
struct fasync_struct *fasync;
int alt_speed; /* For magic substitution of 38400 bps */
wait_queue_head_t write_wait;
wait_queue_head_t read_wait;
struct work_struct hangup_work;
void *disc_data;
void *driver_data;
struct list_head tty_files;
#define N_TTY_BUF_SIZE 4096
int closing;
unsigned char *write_buf;
int write_cnt;
/* If the tty has a pending do_SAK, queue it here - akpm */
struct work_struct SAK_work;
struct tty_port *port;
};
这个tty_operations定义在include/linux/tty_driver.h, 可以看到 大量的hook位。
struct tty_operations {
struct tty_struct * (*lookup)(struct tty_driver *driver,
struct inode *inode, int idx);
int (*install)(struct tty_driver *driver, struct tty_struct *tty);
void (*remove)(struct tty_driver *driver, struct tty_struct *tty);
int (*open)(struct tty_struct * tty, struct file * filp);
void (*close)(struct tty_struct * tty, struct file * filp);
void (*shutdown)(struct tty_struct *tty);
void (*cleanup)(struct tty_struct *tty);
int (*write)(struct tty_struct * tty,
const unsigned char *buf, int count);
int (*put_char)(struct tty_struct *tty, unsigned char ch);
void (*flush_chars)(struct tty_struct *tty);
int (*write_room)(struct tty_struct *tty);
int (*chars_in_buffer)(struct tty_struct *tty);
int (*ioctl)(struct tty_struct *tty,
最低0.47元/天 解锁文章
1798
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
