The kernel tries to access a page that belongs to the process address space. However, the page corresponding to this page does not exist or the kernel tries to access a read-only page, the two scenarios correspond to "request paging" and "Copy at write time" respectively.
Access a page that belongs to the process address space. However, the page corresponding to this page does not exist or the kernel attempts to access a read-only page, the two scenarios correspond to "request paging" and "Copy at write time" respectively.
2. the kernel addresses the pages that belong to the kernel address space, but the corresponding page and table items are not initialized. This corresponds to "non-contiguous memory zone access ".
3. the kernel code contains programming errors and function execution produces exceptions. This is a kernel vulnerability.
4. The system call service routine tries to read and write a memory zone. The address of the memory zone is transmitted through the system call parameters, but it does not belong to the address space of the process.
In the first two cases, the page-missing exception handler is easy to identify, but the latter two cases are difficult to distinguish. In order to identify the following two cases, the Linux kernel has created an exception table to identify the latter two cases.
Ii. How does one implement abnormal tables in linux?
The exception table stores the address of each instruction that the kernel service routine accesses to the process address space. This table is stored in the _ ex_table section of the kernel code segment. Its start and end addresses are identified by the two symbols _ start _ ex_table and _ stop _ ex_table generated by the C compiler, the _ ex_table section in each target file is merged in the Linux Kernel link script file, and the _ start _ ex_table and _ stop _ ex_table are defined for identification.
_ Start ___ ex_table =.; // exception table _ ex_table: {* (_ ex_table)} _ stop ___ ex_table = .;
In addition, each Dynamically Loaded kernel module contains its own local exception table. When the module is loaded into the kernel, the table is also loaded into the memory.
The table items in each exception table are in the exception_table_entry structure:
struct exception_table_entry{ unsigned long insn, fixup;};
Insn is the linear address of the instruction to access the process address space. When a page-missing exception is triggered by commands in the insn unit, fixup is the assembly instruction code address to be called. Generally, this assembly code forces the service routine to return an error code to the user-state process.
Insert a table item to the exception table through the Assembly pseudo command below:
.section __ex_table, “a” .long faulty_instruction_address, fixup_code_address.previous
Faulty_instruction_address is the address of the instruction to access the process address space, and fixup_code_address is the correction code for the exception caused by the instruction pointed to by faulty_instruction_address. It usually returns an error code to the user program.
For example, in the kernel code that accesses the process address space:
__get_user_1: GET_THREAD_INFO(%edx) cmpl TI_addr_limit(%edx),%eax jae bad_get_user1: movzbl (%eax),%edx xorl %eax,%eax ret__get_user_2: addl $1,%eax jc bad_get_user GET_THREAD_INFO(%edx) cmpl TI_addr_limit(%edx),%eax jae bad_get_user2: movzwl -1(%eax),%edx xorl %eax,%eax ret__get_user_4: addl $3,%eax jc bad_get_user GET_THREAD_INFO(%edx) cmpl TI_addr_limit(%edx),%eax jae bad_get_user3: movl -3(%eax),%edx xorl %eax,%eax retbad_get_user: xorl %edx,%edx movl $-14,%eax ret.section __ex_table,"a" .long 1b,bad_get_user .long 2b,bad_get_user .long 3b,bad_get_user.previous
From the assembly code above, we can know that the commands that actually access the process address space are commands marked 1, 2, and 3, therefore, you only need to place the command addresses in these three fields in the exception table. bad_get_user is the code for modifying the exception caused by these three commands.
3. How to identify the exception type through the exception table?
When a page exception occurs in the kernel state, the page exception handler first removes the first two cases and then checks the exception table: If the table contains the command address that generates the exception, this error is caused by Invalid System Call parameters, that is, the fourth case. Otherwise, it is caused by a more serious kernel bug, that is, the third case.
;