added memory protection from kernel 2.6.11 --> 2.6.12 ?

To: debian-kernel@lists.debian.org
Subject: added memory protection from kernel 2.6.11 --> 2.6.12 ?
From: Stefan Schönleitner <dev.c0debabe@gmail.com>
Date: Fri, 2 Dec 2005 10:14:01 +0100
Message-id: <[🔎] 20051202101401.43899dae@phyrex>

hi there !

I was wondering if the current kernels (=>2.6.12) have some kind of additional
memory protection addded.
Specifically, I'm trying to read from the process memory of another
process (using gdb) which works just fine on kernel version up to (and
including) 2.6.11.
(This is inevitable for me since I'm currently playing with
format string vulnerabilities to understand these kind of attacks.)
I would like to know how to turn the mentioned protection off.
If it is not possible, it would be great to get some hint which kernel code I
would have to patch/modify to turn it off ;)


Here's some example of what I'm trying to do:

---------------------- kernel 2.6.11 ----------------------
[green format_auto]$ ./myshell
Using address: 0xbffff818
bash-2.05b$ gdb -q
(gdb) exec-file ./myshell
(gdb) file myshell
Reading symbols from myshell...done.
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) break *main
Breakpoint 1 at 0x80484d3
(gdb) run
Starting program: /home/seclab/format_auto/myshell

Breakpoint 1, 0x080484d3 in main ()
(gdb) x/10x 0xbffff818
0xbffff818:     0x65687379      0x4c006c6c      0x41505f43      0x3d524550
0xbffff828:     0x415f6564      0x454c0054      0x454b5353      0x652f3d59
0xbffff838:     0x2e2f6374      0x7373656c
(gdb)
-----------------------------------------------------------

As you can see reading from the shells process memory (0xbffff818 is the
address of an environment variable) works just fine.
Here's what happens if I try the same with a newer kernel:

---------------------- kernel 2.6.12 ----------------------
phyrex:~/work/format_auto$ ./myshell
Using address: 0xbfa6f358
phyrex:~/work/format_auto$ gdb -q --exec=./myshell
(gdb) file myshell
Reading symbols from /home/seclab/work/format_auto/myshell...done.
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) break *main
Breakpoint 1 at 0x80484d3
(gdb) run
Starting program: /home/seclab/format_auto/myshell

Breakpoint 1, 0x080484d3 in main ()
(gdb) x/10x 0xbfa6f358
0xbfa6f358:     Cannot access memory at address 0xbfa6f358
(gdb) x/x 0xbfa6f358
0xbfa6f358:     Cannot access memory at address 0xbfa6f358
-----------------------------------------------------------

Sometimes instead of the "Cannot access memory at address ..." gdb tries
to show the content of the address, unfortunately not the real content:

-----------------------------------------------------------
(gdb) x/x 0xbfc47629
0xbfc47629:     0x00000000
-----------------------------------------------------------

Any help is greatly appreciated ;)

Sincerly,
Stefan

Reply to:

Follow-Ups:
- Re: added memory protection from kernel 2.6.11 --> 2.6.12 ?
  - From: Willi Mann <willi@wm1.at>

Prev by Date: Re: Preparing 2.6.15 - i386: drop M386 support in favour of M486?
Next by Date: Bug#341738: linux-image-2.6.14-2-686: Could not read output for /sbin/modprobe -v -n --show-depends --set-version 2.6.14-2-686 auto (fatal)
Previous by thread: Bug#339295: psmouse.c: Failed to reset mouse on isa0060/serio1 - works fine with 2.6.13-1-k7
Next by thread: Re: added memory protection from kernel 2.6.11 --> 2.6.12 ?
Index(es):
- Date
- Thread