You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
These two fundamental features are written in binary hacker's fashion, and are frequently broken on different Linux major version, and different architectures. So it's significantly important to find an alternative way to replace __schedule function.
There are two major pitfalls we may encounter when replacing __schedule, and they are why stack-pivot and ROP comes for.
After unloading, the module's .text section is gone. If a task wakes up after unloading, it steps on the module's .text section and panics.
The top and bottom halves of __schedule may assume __schedule to have different stack layout and size.
Apart from stack-pivot + ROP, another potential solution to these problems might be,
When unloading the module,
stop_machine, and restore __schedule's prologue to nop, and add sleeping tasks to sleep_list
traverse sleep_list, and set their need_resched bit, and wakes them up
wait until all tasks in sleep_list to finish one round of __schedule, and enters vmlinux's __schedule
In this way, springboard_search, stack guard, stack-pivot can all be eliminated.
The text was updated successfully, but these errors were encountered:
These two fundamental features are written in binary hacker's fashion, and are frequently broken on different Linux major version, and different architectures. So it's significantly important to find an alternative way to replace
__schedule
function.There are two major pitfalls we may encounter when replacing
__schedule
, and they are whystack-pivot
andROP
comes for..text
section is gone. If a task wakes up after unloading, it steps on the module's.text
section and panics.__schedule
may assume__schedule
to have different stack layout and size.Apart from
stack-pivot
+ROP
, another potential solution to these problems might be,When unloading the module,
nop
, and add sleeping tasks to sleep_listIn this way, springboard_search, stack guard, stack-pivot can all be eliminated.
The text was updated successfully, but these errors were encountered: