First page Back Continue Last page Summary Graphics

System calls

read(fd, kernel_address, n)
evades protection because buffer is filled in kernel mode
verify_area checks buffer address manually
Works for 'jail', problems with 'honeypot'

Notes:

A sneakier way to try to change kernel memory is to get the kernel to do it for you by passing a kernel address as an output parameter to a system call. Since the output buffer will be filled in the kernel, kernel memory is write-enabled, so this offers a potential way to get around the write-protection that's in effect in user mode.
This problem is mostly taken care of by the generic kernel with the help of some architecture-specific code in asm/uaccess.h, notably verify_area. This checks the buffer address by hand to make sure it's a userspace address and not a kernel address.
This works perfectly well in 'jail' mode, but it's more complicated in 'honeypot' mode because of some peculiarities of that mode. This will be discussed in detail later.

System calls

read(fd, kernel_address, n)

evades protection because buffer is filled in kernel mode

verify_area checks buffer address manually

Works for 'jail', problems with 'honeypot'

Notes: