4

I have noticed that it IS possible to read/write from/to some app memory (Which I'm in context of) while in kernel mode but it is NOT possible to execute user space code.

I guess that it has something to do with the kernel code segment (The limit & Granularity). Is there a way to execute user-space addresses? I know that it breaks the Linux security model etc, I just wonder from my own curiosity if it is possible to trick the Linux Kernel and make it execute user-space code.

Rouki
  • 2,239
  • 1
  • 24
  • 41
  • possible duplicate of [Executing a user-space function from the kernel space](http://stackoverflow.com/questions/5246636/executing-a-user-space-function-from-the-kernel-space) – mcleod_ideafix Apr 20 '15 at 11:20

2 Answers2

1

User space program have it own virtual address space (<0xC0000000) and it is impossible execute such program from kernel space (>0xC0000000). Probably you should look to user-helper-api (Invoking user-space applications from the kernel) and linux interprocess communication (IPC) kernel sockets, shared memory and signals. Network tools use IPC (kernel sockets) for communication. Drivers use user-helper-api notify user space about some events. If you interested how to work with binary user space program you can look for UPROBE linux kernel module (uprobe can parse userspace binary and edit userspace program instructions).

cosinus0
  • 601
  • 1
  • 4
  • 15
1

Assuming Linux on x86 systems, 32 bits (as the OP hasn't provided that information):

The kernel is visible from any process, and while in a specific process context, the kernel can read and write to any memory address the process has mapped into its memory map. This also means that it's possible to do a call to execute some code that resides below the 0xc0000000 mark (for 32-bit Linuxes), provided that:

  • The code doesn't issue system calls.
  • The kernel has locked the memory where the code resides and the data it uses so there won't be page faults while executing the code.
  • If the kernel uses the NX feature to mark pages as non executable, it has to de-mark the pages in which code to be executed resides.
  • The code does not generate any other exception, such as division by zero.
mcleod_ideafix
  • 11,128
  • 2
  • 24
  • 32
  • Well, I'm trying to execute executable pages within the user-space virtual memory and it just won't let me. It generates an 'Unable to handle page request' error (Or something like that). That code I'm trying to run only has C3 (return opcode) so it certainly doesn't issue any system call or generate any exception. EDIT: I'm talking about Linux x86-64 platform – Rouki Apr 20 '15 at 11:24
  • That means that you have to lock the page in which the code resides into memory before you call it. But I'm not sure about the other assumptions will work in a x86_64 environment. – mcleod_ideafix Apr 20 '15 at 11:30
  • Still won't let me run the user addresses. Any other way you can think of to allow that? (Maybe modify the GDT or something). – Rouki Apr 20 '15 at 12:20
  • No, I'm afraid I'm lost in the 64 bits scenario. Isn't supossed that there is no GDT in 64 bit mode? – mcleod_ideafix Apr 20 '15 at 12:35
  • Have you considered copying the code that you want to execute from user to kernel, executing it inside the kernel, and then copying back the results to user space? The code should be written position independent for that. – mcleod_ideafix Apr 20 '15 at 12:37
  • Exactly. I'm trying to avoid the 'RIP RELATIVE' commands issue (By running the code in its native spot) – Rouki Apr 20 '15 at 12:43