Sysfs文件系统read流程安全性分析

来源：互联网发布：卷皮淘宝客编辑：程序博客网时间：2024/06/18 17:57

1 概述

随着对安全的逐渐深入的学习，Linux系统是无法绕过的坎，接下来就渐渐的学习Linux的各种文件系统安全性，同时结合源码进行跟读学习。

在查看本文时，需要了解如何创建一个sys文件，了解show和store函数

2 参考文章

Linux源码：

http://lxr.free-electrons.com/

Cndn参考博客：

http://blog.csdn.net/angle_birds/article/details/8315298

http://blog.csdn.net/dndxhej/article/details/7435634

http://blog.csdn.net/zclongembedded/article/details/8689099

http://www.cnblogs.com/huxiao-tee/p/4657851.html

http://www.cnblogs.com/armlinux/archive/2010/10/10/2396903.html

3 Sysfs的变迁史

Sysfs是在2.6版本新加入的文件系统，以前是不存在的，本文的代码主要是采用当前linux嵌入式设备常用的3.10和最新的4.6系统作对比。

4 linux源码跟读

4.1公共部分用户态到VFS调用

在进行read函数时，其实就是执行普通的read操作，这里直接跳过，查看通过gilbc等调用的SYSCALL函数。

文件路径：fs/read_write.c 查找SYSCALL关键字

SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count){         struct fd f = fdget(fd);         ssize_t ret = -EBADF;          if (f.file) {                 loff_t pos = file_pos_read(f.file);                 ret = vfs_read(f.file, buf, count, &pos);//接下来调用的是vfs_read                 file_pos_write(f.file, pos);                 fdput(f);         }         return ret;}

文件路径：fs/read_write.c 查找vfs_read关键字

size_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos){        ssize_t ret;        if (!(file->f_mode & FMODE_READ))                return -EBADF;        if (!file->f_op || (!file->f_op->read && !file->f_op->aio_read))                return -EINVAL;        if (unlikely(!access_ok(VERIFY_WRITE, buf, count)))                return -EFAULT;        ret = rw_verify_area(READ, file, pos, count);        if (ret >= 0) {                count = ret;                if (file->f_op->read)                        ret = file->f_op->read(file, buf, count, pos);//从这一步开始就调用到了file_operations中的函数                else                        ret = do_sync_read(file, buf, count, pos);                if (ret > 0) {                        fsnotify_access(file);                        add_rchar(current, ret);                }                inc_syscr(current);        }        return ret;}

4.2 linux 3.10中Sysfs的实现

文件路径：fs/sysfs/file.c

const struct file_operations sysfs_file_operations = {        .read           = sysfs_read_file,//这里可以看到进一步查找read的实现函数        .write          = sysfs_write_file,        .llseek         = generic_file_llseek,        .open           = sysfs_open_file,        .release        = sysfs_release,        .poll           = sysfs_poll,};

文件路径：fs/sysfs/file.c

static ssize_t sysfs_read_file(struct file *file, char __user *buf, size_t count, loff_t *ppos){        struct sysfs_buffer * buffer = file->private_data;        ssize_t retval = 0;        mutex_lock(&buffer->mutex);        if (buffer->needs_read_fill || *ppos == 0) {                retval = fill_read_buffer(file->f_path.dentry,buffer);//最终需要执行的是这个函数，                if (retval)                       goto out;        }        pr_debug("%s: count = %zd, ppos = %lld, buf = %s\n",                 __func__, count, *ppos, buffer->page);        retval = simple_read_from_buffer(buf, count, ppos, buffer->page,                                         buffer->count);//这个函数需要格外注意out:        mutex_unlock(&buffer->mutex);        return retval;}

接下来查看fill_read_buffer源码

static int fill_read_buffer(struct dentry * dentry, struct sysfs_buffer * buffer){        struct sysfs_dirent *attr_sd = dentry->d_fsdata;        struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;        const struct sysfs_ops * ops = buffer->ops;        int ret = 0;        ssize_t count;        if (!buffer->page)                buffer->page = (char *) get_zeroed_page(GFP_KERNEL);        if (!buffer->page)                return -ENOMEM;        /* need attr_sd for attr and ops, its parent for kobj */        if (!sysfs_get_active(attr_sd))                return -ENODEV;        buffer->event = atomic_read(&attr_sd->s_attr.open->event);        count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);//sysfs文件实现的show函数        sysfs_put_active(attr_sd);        /*         * The code works fine with PAGE_SIZE return but it's likely to         * indicate truncated result or overflow in normal use cases.         */        if (count >= (ssize_t)PAGE_SIZE) {                print_symbol("fill_read_buffer: %s returned bad count\n",                        (unsigned long)ops->show);                /* Try to struggle along */                count = PAGE_SIZE - 1;        }        if (count >= 0) {                buffer->needs_read_fill = 0;                buffer->count = count;        } else {                ret = count;        }        return ret;}

安全性分析：在执行show函数时，其传入的buffer是安全的sysfs_buffer创建的内核态的buf，然后经过simple_read_from_buffer函数完成赋值，因此，sysfs在read过程是安全的，其中包含的函数是copy_to_user的安全函数，因此，可控的变量只有一个count

同理可以分析sysfs的write到store的过程，可控的变量也仅仅只有一个count（flush_write_buffer）

4.3 linux 4.4中Sysfs的实现

关于attribute和kobject的基本内容这里就忽略了

当创建的是device文件时

文件路径：linux/device.h

这个文件中包含下面四个宏（总线，类别，驱动，设备）

#define BUS_ATTR(_name, _mode, _show, _store)\struct bus_attribute bus_attr_##_name = __ATTR(_name, _mode, _show, _store)#define BUS_ATTR_RW(_name) \struct bus_attribute bus_attr_##_name = __ATTR_RW(_name)#define BUS_ATTR_RO(_name) \struct bus_attribute bus_attr_##_name = __ATTR_RO(_name)

#define DEVICE_ATTR(_name, _mode, _show, _store) \<span style="white-space:pre"></span>struct device_attribute dev_attr_##_name = __ATTR(_name, _mode, _show, _store)#define DEVICE_ATTR_RW(_name) \<span style="white-space:pre"></span>struct device_attribute dev_attr_##_name = __ATTR_RW(_name)#define DEVICE_ATTR_RO(_name) \<span style="white-space:pre"></span>struct device_attribute dev_attr_##_name = __ATTR_RO(_name)#define DEVICE_ATTR_WO(_name) \<span style="white-space:pre"></span>struct device_attribute dev_attr_##_name = __ATTR_WO(_name)

#define DRIVER_ATTR(_name, _mode, _show, _store) \struct driver_attribute driver_attr_##_name = __ATTR(_name, _mode, _show, _store)#define DRIVER_ATTR_RW(_name) \struct driver_attribute driver_attr_##_name = __ATTR_RW(_name)#define DRIVER_ATTR_RO(_name) \struct driver_attribute driver_attr_##_name = __ATTR_RO(_name)#define DRIVER_ATTR_WO(_name) \struct driver_attribute driver_attr_##_name = __ATTR_WO(_name)

#define CLASS_ATTR(_name, _mode, _show, _store) \struct class_attribute class_attr_##_name = __ATTR(_name, _mode, _show, _store)#define CLASS_ATTR_RW(_name) \struct class_attribute class_attr_##_name = __ATTR_RW(_name)#define CLASS_ATTR_RO(_name) \struct class_attribute class_attr_##_name = __ATTR_RO(_name)

其中以device为例，创建时调用

extern int device_create_file(struct device *device,      const struct device_attribute *entry);

/** * device_create_file - create sysfs attribute file for device. * @dev: device. * @attr: device attribute descriptor. */int device_create_file(struct device *dev,       const struct device_attribute *attr){int error = 0;if (dev) {WARN(((attr->attr.mode & S_IWUGO) && !attr->store),"Attribute %s: write permission without 'store'\n",attr->attr.name);WARN(((attr->attr.mode & S_IRUGO) && !attr->show),"Attribute %s: read permission without 'show'\n",attr->attr.name);error = sysfs_create_file(&dev->kobj, &attr->attr);}return error;}

进一步的进入

static inline int __must_check sysfs_create_file(struct kobject *kobj, const struct attribute *attr){return sysfs_create_file_ns(kobj, attr, NULL);}

int sysfs_add_file_mode_ns(struct kernfs_node *parent,   const struct attribute *attr, bool is_bin,   umode_t mode, const void *ns){struct lock_class_key *key = NULL;const struct kernfs_ops *ops;struct kernfs_node *kn;loff_t size;if (!is_bin) {struct kobject *kobj = parent->priv;const struct sysfs_ops *sysfs_ops = kobj->ktype->sysfs_ops;/* every kobject with an attribute needs a ktype assigned */if (WARN(!sysfs_ops, KERN_ERR "missing sysfs attribute operations for kobject: %s\n", kobject_name(kobj)))return -EINVAL;if (sysfs_ops->show && sysfs_ops->store) {if (mode & SYSFS_PREALLOC)ops = &sysfs_prealloc_kfops_rw;elseops = &sysfs_file_kfops_rw;} else if (sysfs_ops->show) {if (mode & SYSFS_PREALLOC)ops = &sysfs_prealloc_kfops_ro;elseops = &sysfs_file_kfops_ro;} else if (sysfs_ops->store) {if (mode & SYSFS_PREALLOC)ops = &sysfs_prealloc_kfops_wo;elseops = &sysfs_file_kfops_wo;} elseops = &sysfs_file_kfops_empty;size = PAGE_SIZE;} else {struct bin_attribute *battr = (void *)attr;if (battr->mmap)ops = &sysfs_bin_kfops_mmap;else if (battr->read && battr->write)ops = &sysfs_bin_kfops_rw;else if (battr->read)ops = &sysfs_bin_kfops_ro;else if (battr->write)ops = &sysfs_bin_kfops_wo;elseops = &sysfs_file_kfops_empty;size = battr->size;}

通过上面这个函数，完成file_operations的赋值

其中，

/* interface for exporting device attributes */struct device_attribute {        struct attribute        attr;        ssize_t (*show)(struct device *dev, struct device_attribute *attr,                        char *buf);        ssize_t (*store)(struct device *dev, struct device_attribute *attr,                         const char *buf, size_t count);};

文件路径：linux/sysfs.h

#define __ATTR(_name, _mode, _show, _store) {                           \        .attr = {.name = __stringify(_name),                            \                 .mode = VERIFY_OCTAL_PERMISSIONS(_mode) },             \        .show   = _show,                                                \        .store  = _store,                                               \}

其中：

static const struct kernfs_ops sysfs_file_kfops_empty = {};static const struct kernfs_ops sysfs_file_kfops_ro = {.seq_show= sysfs_kf_seq_show,};static const struct kernfs_ops sysfs_file_kfops_wo = {.write= sysfs_kf_write,};static const struct kernfs_ops sysfs_file_kfops_rw = {.seq_show= sysfs_kf_seq_show,.write= sysfs_kf_write,};static const struct kernfs_ops sysfs_prealloc_kfops_ro = {.read= sysfs_kf_read,.prealloc= true,};static const struct kernfs_ops sysfs_prealloc_kfops_wo = {.write= sysfs_kf_write,.prealloc= true,};static const struct kernfs_ops sysfs_prealloc_kfops_rw = {.read= sysfs_kf_read,.write= sysfs_kf_write,.prealloc= true,};static const struct kernfs_ops sysfs_bin_kfops_ro = {.read= sysfs_kf_bin_read,};static const struct kernfs_ops sysfs_bin_kfops_wo = {.write= sysfs_kf_bin_write,};static const struct kernfs_ops sysfs_bin_kfops_rw = {.read= sysfs_kf_bin_read,.write= sysfs_kf_bin_write,};static const struct kernfs_ops sysfs_bin_kfops_mmap = {.read= sysfs_kf_bin_read,.write= sysfs_kf_bin_write,.mmap= sysfs_kf_bin_mmap,};

最终通过调用到这个得到sysfs ops

/* * Determine ktype->sysfs_ops for the given kernfs_node.  This function * must be called while holding an active reference. */static const struct sysfs_ops *sysfs_file_ops(struct kernfs_node *kn){struct kobject *kobj = kn->parent->priv;if (kn->flags & KERNFS_LOCKDEP)lockdep_assert_held(kn);return kobj->ktype ? kobj->ktype->sysfs_ops : NULL;}

上面分析了创建的流程，

因此，当真正read的时候，流程也就比较清晰了

static struct kobj_type device_ktype = {.release= device_release,.sysfs_ops= &dev_sysfs_ops,.namespace= device_namespace,};

找到这个而文件的kobject，进一步就可以找到

static const struct sysfs_ops dev_sysfs_ops = {.show= dev_attr_show,.store= dev_attr_store,};

这里就是read，和write操作

static ssize_t dev_attr_show(struct kobject *kobj, struct attribute *attr,     char *buf){struct device_attribute *dev_attr = to_dev_attr(attr);struct device *dev = kobj_to_dev(kobj);ssize_t ret = -EIO;if (dev_attr->show)ret = dev_attr->show(dev, dev_attr, buf);//这里就是DEVICE_ATTR当时返回的attr中的opsif (ret >= (ssize_t)PAGE_SIZE) {print_symbol("dev_attr_show: %s returned bad count\n",(unsigned long)dev_attr->show);}return ret;}static ssize_t dev_attr_store(struct kobject *kobj, struct attribute *attr,      const char *buf, size_t count){struct device_attribute *dev_attr = to_dev_attr(attr);struct device *dev = kobj_to_dev(kobj);ssize_t ret = -EIO;if (dev_attr->store)ret = dev_attr->store(dev, dev_attr, buf, count);return ret;}

安全性分析，后续补充

1 0