First page Back Continue Last page Summary Graphics
read(fd, kernel_address, n)
evades protection because buffer is filled in kernel mode
verify_area checks buffer address manually
Works for 'jail', problems with 'honeypot'
A sneakier way to try to change kernel memory is to get the kernel to do it for you by passing a kernel address as an output parameter to a system call. Since the output buffer will be filled in the kernel, kernel memory is write-enabled, so this offers a potential way to get around the write-protection that's in effect in user mode.
This problem is mostly taken care of by the generic kernel with the help of some architecture-specific code in asm/uaccess.h, notably verify_area. This checks the buffer address by hand to make sure it's a userspace address and not a kernel address.
This works perfectly well in 'jail' mode, but it's more complicated in 'honeypot' mode because of some peculiarities of that mode. This will be discussed in detail later.