I am researching system security at the university. I found that it is possible to attach pml4 from one process with a change in index to another process. For example, in our host program there is an address 0x01031000 and when copying to pml4 with index 50 of the target process, the address will become 0x01931000. The numbers are arbitrary. The memory is read from the target process, but if I want to execute code on it, the system crashes with a MEMORY MANAGEMENT error. I allocate memory rwx in the host process. And it is surprising that the code from such a region is executed normally on some systems, and on others the system crashes. And I do not understand why the system can crash when executing code from such a region
... it is possible to attach pml4 from one process with a change in index to another process ...
I don't know what that sentence means. How did you "attach" it? How did you change an index?
... when copying to pml4 with index 50 of the target process ...
You used a kernel driver to do this, right? You can't touch the page tables from user mode. Kernel drivers can do many things that cause system crashes. Indeed, there are other system tables that parallel the live page tables. If you mucked with a page table, then you caused an inconsistency.
uint64_t target_pml4_idx = 50;
uint64_t target_addr = (host_base & ~(0x1FFLL << 39)) | ((target_pml4_idx & 0x1FF) << 39);
uint64_t* p_pml4_host = (uint64_t*)(host_dtb + 8 * ((host_base >> 39) & 0x1FF));
uint64_t* p_pml4_target = (uint64_t*)(trget_dtb + 8 * target_pml4_idx);
After *p_pml4_target =*p_pml4_host
of course I do it from the kernel
Then why are you surprised that random memory poking into critical system tables caused a crash?
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.