https://github.com/hyperion70/iq451_mt6589/tree/master/bootable/bootloader/lk/arch
Little Kernel Boot Loader Overview
LM80-P0436-1
KDT-리눅스_커널(유익한 자료)
- LK (Little kernel) source 2023.07.29
- [ARM64] lkdtm_user 테스트 결과 2023.06.09
- lkdtm_user 소스 코드 2023.06.09
LK (Little kernel) source
[ARM64] lkdtm_user 테스트 결과
"exec_null"
소스 코드
void lkdtm_EXEC_NULL(void)
{
execute_location(NULL, CODE_AS_IS);
}
void trace_exec_null(void)
{
printf("trace exec null \n");
lkdtm_EXEC_NULL();
}
관련 로그
lkdtm_user-10616 [005] d..1 679.448094: signal_generate: sig=5 errno=0 code=196609 comm=lkdtm_user pid=10616 grp=0 res=0
lkdtm_user-10616 [005] d..1 679.448102: <stack trace> // 5) SIGTRAP
=> brk_handler+0xf8/0x158 <ffffff9d4a485c10>
=> do_debug_exception+0xc8/0x150 <ffffff9d4a481bc0>
=> el0_dbg+0x14/0x1c <ffffff9d4a4840e4>
lkdtm_user-10616 [005] d..1 679.448111: signal_deliver: sig=5 errno=0 code=196609 sa_handler=0 sa_flags=0
lkdtm_user-10616 [005] d..1 679.448112: <stack trace> // 5) SIGTRAP
=> work_pending+0x8/0x10 <ffffff9d4a484408>
"exec_assert"
void lkdtm_EXEC_ASSERT(void)
{
assert(1);
printf("finishing assert \n");
}
void trace_exec_assert(void)
{
printf("trace exec assert \n");
lkdtm_EXEC_ASSERT();
}
관련 로그
no log
"access_null"
소스
void lkdtm_ACCESS_NULL(void)
{
unsigned long tmp;
unsigned long *ptr = (unsigned long *)NULL;
printf("attempting bad read at \n");
tmp = *ptr;
tmp += 0xc0dec0de;
printf("attempting bad write at \n");
*ptr = tmp;
printf("finishing bad write at \n");
}
void trace_access_null(void)
{
printf("trace accesss null \n");
lkdtm_ACCESS_NULL();
}
로그
lkdtm_user-11298 [004] d..1 1771.884643: signal_generate: sig=5 errno=0 code=196609 comm=lkdtm_user pid=11298 grp=0 res=0
lkdtm_user-11298 [004] d..1 1771.884651: <stack trace> // 5) SIGTRAP
=> brk_handler+0xf8/0x158 <ffffff9d4a485c10>
=> do_debug_exception+0xc8/0x150 <ffffff9d4a481bc0>
=> el0_dbg+0x14/0x1c <ffffff9d4a4840e4>
lkdtm_user-11298 [004] d..1 1771.884658: signal_deliver: sig=5 errno=0 code=196609 sa_handler=0 sa_flags=0
lkdtm_user-11298 [004] d..1 1771.884659: <stack trace>
"exec_data"
소스
void lkdtm_EXEC_DATA(void)
{
execute_location(data_area, CODE_WRITE);
}
void trace_exec_data(void)
{
printf("trace exec data \n");
lkdtm_EXEC_DATA();
}
로그
lkdtm_user-11483 [005] .... 2131.066939: user_fault: task_name:lkdtm_user addr:2187428, fsr:2449473551
lkdtm_user-11483 [005] .... 2131.066948: <stack trace>
=> do_mem_abort+0x70/0xf0 <ffffff9d4a481778>
=> el0_da+0x20/0x24 <ffffff9d4a484048>
lkdtm_user-11483 [005] d..1 2131.066958: signal_generate: sig=11 errno=0 code=196610 comm=lkdtm_user pid=11483 grp=0 res=0
lkdtm_user-11483 [005] d..1 2131.066959: <stack trace> // 11) SIGSEGV
=> __do_user_fault+0x180/0x1c0 <ffffff9d4a4a5570>
=> do_page_fault+0x3a8/0x3e8 <ffffff9d4a4a52a0>
=> do_mem_abort+0x70/0xf0 <ffffff9d4a481778>
=> el0_da+0x20/0x24 <ffffff9d4a484048>
lkdtm_user-11483 [005] d..1 2131.066966: signal_deliver: sig=11 errno=0 code=196610 sa_handler=0 sa_flags=0
lkdtm_user-11483 [005] d..1 2131.066967: <stack trace> // 11) SIGSEGV
=> work_pending+0x8/0x10 <ffffff9d4a484408>
"exec_stack"
소스
void lkdtm_EXEC_STACK(void)
{
u8 stack_area[EXEC_SIZE];
execute_location(stack_area, CODE_WRITE);
}
void trace_exec_stack(void)
{
printf("trace exec stack \n");
lkdtm_EXEC_STACK();
}
로그
lkdtm_user-11726 [004] .... 2361.645929: user_fault: task_name:lkdtm_user addr:549726137512, fsr:2181038095
lkdtm_user-11726 [004] .... 2361.645937: <stack trace>
=> do_el0_ia_bp_hardening+0xcc/0x148 <ffffff9d4a481914>
=> el0_ia+0x18/0x1c <ffffff9d4a484064>
lkdtm_user-11726 [004] d..1 2361.645947: signal_generate: sig=11 errno=0 code=196610 comm=lkdtm_user pid=11726 grp=0 res=0
lkdtm_user-11726 [004] d..1 2361.645948: <stack trace> // 11) SIGSEGV
=> __do_user_fault+0x180/0x1c0 <ffffff9d4a4a5570>
=> do_page_fault+0x3a8/0x3e8 <ffffff9d4a4a52a0>
=> do_el0_ia_bp_hardening+0xcc/0x148 <ffffff9d4a481914>
=> el0_ia+0x18/0x1c <ffffff9d4a484064>
lkdtm_user-11726 [004] d..1 2361.645953: signal_deliver: sig=11 errno=0 code=196610 sa_handler=0 sa_flags=0
lkdtm_user-11726 [004] d..1 2361.645954: <stack trace> // 11) SIGSEGV
=> work_pending+0x8/0x10 <ffffff9d4a484408>
"exec_malloc"
소스
void lkdtm_EXEC_MALLOC(void)
{
u32 *malloc_area = malloc(EXEC_SIZE);
execute_location(malloc_area, CODE_WRITE);
free(malloc_area);
}
void trace_exec_malloc(void)
{
printf("trace exec malloc \n");
lkdtm_EXEC_MALLOC();
}
로그
lkdtm_user-12029 [004] .... 2646.004566: user_fault: task_name:lkdtm_user addr:528081797120, fsr:2181038087
lkdtm_user-12029 [004] .... 2646.004574: <stack trace>
=> do_translation_fault+0x50/0xb0 <ffffff9d4a4a4e98>
=> do_el0_ia_bp_hardening+0xcc/0x148 <ffffff9d4a481914>
=> el0_ia+0x18/0x1c <ffffff9d4a484064>
lkdtm_user-12029 [004] d..1 2646.004584: signal_generate: sig=11 errno=0 code=196610 comm=lkdtm_user pid=12029 grp=0 res=0
lkdtm_user-12029 [004] d..1 2646.004585: <stack trace>
=> __do_user_fault+0x180/0x1c0 <ffffff9d4a4a5570>
=> do_page_fault+0x3a8/0x3e8 <ffffff9d4a4a52a0>
=> do_translation_fault+0x50/0xb0 <ffffff9d4a4a4e98>
=> do_el0_ia_bp_hardening+0xcc/0x148 <ffffff9d4a481914>
=> el0_ia+0x18/0x1c <ffffff9d4a484064>
lkdtm_user-12029 [004] d..1 2646.004590: signal_deliver: sig=11 errno=0 code=196610 sa_handler=0 sa_flags=0
lkdtm_user-12029 [004] d..1 2646.004591: <stack trace>
=> work_pending+0x8/0x10 <ffffff9d4a484408>
"exec_rodata"
소스
void lkdtm_EXEC_RODATA(void)
{
execute_location(lkdtm_rodata_do_nothing, CODE_AS_IS);
}
void trace_exec_rodata(void)
{
printf("trace exec rodata \n");
lkdtm_EXEC_RODATA();
}
로그
No log
"corrupt_stack"
소스
void lkdtm_CORRUPT_STACK(int remaining)
{
/* Use default char array length that triggers stack protection. */
char data[8];
// memset((void *)data, 0, 64);
memset((void *)data, (remaining & 0xff) | 0x1, (remaining & 0xff) | 0xff);
}
void trace_corrupt_stack(void)
{
printf("trace corrupt stack \n");
lkdtm_CORRUPT_STACK(recur_count);
}
로그
lkdtm_user-12344 [004] d..1 3192.089012: signal_generate: sig=6 errno=0 code=-1 comm=lkdtm_user pid=12344 grp=0 res=0
lkdtm_user-12344 [004] d..1 3192.089021: <stack trace> // 6) SIGABRT
=> SyS_rt_tgsigqueueinfo+0xc4/0x130 <ffffff9d4a4cbe04>
=> el0_svc_naked+0x34/0x38 <ffffff9d4a4845c0>
lkdtm_user-12344 [004] d..1 3192.089029: signal_deliver: sig=6 errno=0 code=-1 sa_handler=0 sa_flags=0
lkdtm_user-12344 [004] d..1 3192.089030: <stack trace>
=> work_pending+0x8/0x10 <ffffff9d4a484408>
"stack_overflow"
소스
static int recursive_loop(int remaining)
{
char buf[REC_STACK_SIZE];
/* Make sure compiler does not optimize this away. */
memset(buf, (remaining & 0xff) | 0x1, REC_STACK_SIZE);
if (!remaining)
return 0;
else
return recursive_loop(remaining - 1);
}
void lkdtm_OVERFLOW(void)
{
(void) recursive_loop(recur_count);
}
void trace_stack_overflow(void)
{
printf("trace stack overflow \n");
lkdtm_OVERFLOW();
}
로그
lkdtm_user-12706 [005] d..2 3910.806313: signal_generate: sig=1 errno=0 code=128 comm=lkdtm_user pid=12706 grp=1 res=0
lkdtm_user-12706 [005] d..2 3910.806322: <stack trace>
=> kill_pgrp+0x60/0xb0 <ffffff9d4a4c70c8>
=> disassociate_ctty+0xe0/0x3f8 <ffffff9d4aac52a0>
=> do_exit+0x270/0x8f8 <ffffff9d4a4b8d38>
=> SyS_exit_group+0x0/0x20 <ffffff9d4a4b96f8>
=> SyS_exit_group+0x1c/0x20 <ffffff9d4a4b9714>
=> el0_svc_naked+0x34/0x38 <ffffff9d4a4845c0>
'KDT-리눅스_커널(유익한 자료) > 덤프 분석' 카테고리의 다른 글
lkdtm_user 소스 코드 (0) | 2023.06.09 |
---|
lkdtm_user 소스 코드
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <assert.h>
#define EXEC_SIZE 64
#define CODE_WRITE 1
#define CODE_AS_IS 0
typedef unsigned char u8;
typedef unsigned int u32;
static u8 data_area[EXEC_SIZE];
#define REC_STACK_SIZE (0x1000 / 8)
#define REC_NUM_DEFAULT ((0x1000 / REC_STACK_SIZE) * 2)
static int recur_count = REC_NUM_DEFAULT;
static void do_nothing(void)
{
return;
}
void lkdtm_rodata_do_nothing(void)
{
/* Does nothing. We just want an architecture agnostic "return". */
}
void execute_location(void *dst, int write)
{
void (*func)(void) = dst;
printf("attempting ok execution at do_nothing \n");
do_nothing();
if (write == CODE_WRITE) {
memcpy(dst, (const void*)do_nothing, EXEC_SIZE);
}
printf("attempting bad execution at func\n");
func();
}
void lkdtm_EXEC_NULL(void)
{
execute_location(NULL, CODE_AS_IS);
}
void trace_exec_null(void)
{
printf("trace exec null \n");
lkdtm_EXEC_NULL();
}
void lkdtm_EXEC_DATA(void)
{
execute_location(data_area, CODE_WRITE);
}
void trace_exec_data(void)
{
printf("trace exec data \n");
lkdtm_EXEC_DATA();
}
void lkdtm_EXEC_STACK(void)
{
u8 stack_area[EXEC_SIZE];
execute_location(stack_area, CODE_WRITE);
}
void trace_exec_stack(void)
{
printf("trace exec stack \n");
lkdtm_EXEC_STACK();
}
void lkdtm_EXEC_MALLOC(void)
{
u32 *malloc_area = malloc(EXEC_SIZE);
execute_location(malloc_area, CODE_WRITE);
free(malloc_area);
}
void trace_exec_malloc(void)
{
printf("trace exec malloc \n");
lkdtm_EXEC_MALLOC();
}
void lkdtm_EXEC_RODATA(void)
{
execute_location(lkdtm_rodata_do_nothing, CODE_AS_IS);
}
void trace_exec_rodata(void)
{
printf("trace exec rodata \n");
lkdtm_EXEC_RODATA();
}
void lkdtm_ACCESS_NULL(void)
{
unsigned long tmp;
unsigned long *ptr = (unsigned long *)NULL;
printf("attempting bad read at \n");
tmp = *ptr;
tmp += 0xc0dec0de;
printf("attempting bad write at \n");
*ptr = tmp;
printf("finishing bad write at \n");
}
void trace_access_null(void)
{
printf("trace accesss null \n");
lkdtm_ACCESS_NULL();
}
void lkdtm_EXEC_ASSERT(void)
{
assert(1);
printf("finishing assert \n");
}
void trace_exec_assert(void)
{
printf("trace exec assert \n");
lkdtm_EXEC_ASSERT();
}
void lkdtm_CORRUPT_STACK(int remaining)
{
/* Use default char array length that triggers stack protection. */
char data[8];
// memset((void *)data, 0, 64);
memset((void *)data, (remaining & 0xff) | 0x1, (remaining & 0xff) | 0xff);
}
void trace_corrupt_stack(void)
{
printf("trace corrupt stack \n");
lkdtm_CORRUPT_STACK(recur_count);
}
static int recursive_loop(int remaining)
{
char buf[REC_STACK_SIZE];
/* Make sure compiler does not optimize this away. */
memset(buf, (remaining & 0xff) | 0x1, REC_STACK_SIZE);
if (!remaining)
return 0;
else
return recursive_loop(remaining - 1);
}
void lkdtm_OVERFLOW(void)
{
(void) recursive_loop(recur_count);
}
void trace_stack_overflow(void)
{
printf("trace stack overflow \n");
lkdtm_OVERFLOW();
}
int main(int argc, char *argv[])
{
char *param = argv[1];
if(argc == 0) {
printf("check argument \n");
return 0;
}
if (!strcmp("exec_null", param)) {
trace_exec_null();
}
else if (!strcmp("exec_assert", param)) {
trace_exec_assert();
}
else if(!strcmp("access_null", param)) {
trace_access_null();
}
else if(!strcmp("exec_data", param)) {
trace_exec_data();
}
else if(!strcmp("exec_stack", param)) {
trace_exec_stack();
}
else if(!strcmp("exec_malloc", param)) {
trace_exec_malloc();
}
else if(!strcmp("exec_rodata", param)) {
trace_exec_rodata();
}
else if(!strcmp("corrupt_stack", param)) {
trace_corrupt_stack();
}
else if(!strcmp("stack_overflow", param)) {
trace_stack_overflow();
}
return 0;
}
'KDT-리눅스_커널(유익한 자료) > 덤프 분석' 카테고리의 다른 글
[ARM64] lkdtm_user 테스트 결과 (0) | 2023.06.09 |
---|