Sysfs文件系统read流程安全性分析
来源:互联网 发布:卷皮淘宝客 编辑:程序博客网 时间:2024/06/18 17:57
1 概述
随着对安全的逐渐深入的学习,Linux系统是无法绕过的坎,接下来就渐渐的学习Linux的各种文件系统安全性,同时结合源码进行跟读学习。
在查看本文时,需要了解如何创建一个sys文件,了解show和store函数
2 参考文章
Linux源码:
http://lxr.free-electrons.com/
Cndn参考博客:
http://blog.csdn.net/angle_birds/article/details/8315298
http://blog.csdn.net/dndxhej/article/details/7435634
http://blog.csdn.net/zclongembedded/article/details/8689099
http://www.cnblogs.com/huxiao-tee/p/4657851.html
http://www.cnblogs.com/armlinux/archive/2010/10/10/2396903.html
3 Sysfs的变迁史
Sysfs是在2.6版本新加入的文件系统,以前是不存在的,本文的代码主要是采用当前linux嵌入式设备常用的3.10和最新的4.6系统作对比。
4 linux源码跟读
4.1公共部分用户态到VFS调用
在进行read函数时,其实就是执行普通的read操作,这里直接跳过,查看通过gilbc等调用的SYSCALL函数。
文件路径:fs/read_write.c 查找SYSCALL关键字
SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count){ struct fd f = fdget(fd); ssize_t ret = -EBADF; if (f.file) { loff_t pos = file_pos_read(f.file); ret = vfs_read(f.file, buf, count, &pos);//接下来调用的是vfs_read file_pos_write(f.file, pos); fdput(f); } return ret;}文件路径:fs/read_write.c 查找vfs_read关键字
size_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos){ ssize_t ret; if (!(file->f_mode & FMODE_READ)) return -EBADF; if (!file->f_op || (!file->f_op->read && !file->f_op->aio_read)) return -EINVAL; if (unlikely(!access_ok(VERIFY_WRITE, buf, count))) return -EFAULT; ret = rw_verify_area(READ, file, pos, count); if (ret >= 0) { count = ret; if (file->f_op->read) ret = file->f_op->read(file, buf, count, pos);//从这一步开始就调用到了file_operations中的函数 else ret = do_sync_read(file, buf, count, pos); if (ret > 0) { fsnotify_access(file); add_rchar(current, ret); } inc_syscr(current); } return ret;}
4.2 linux 3.10中Sysfs的实现
文件路径:fs/sysfs/file.c
const struct file_operations sysfs_file_operations = { .read = sysfs_read_file,//这里可以看到进一步查找read的实现函数 .write = sysfs_write_file, .llseek = generic_file_llseek, .open = sysfs_open_file, .release = sysfs_release, .poll = sysfs_poll,};
文件路径:fs/sysfs/file.c
static ssize_t sysfs_read_file(struct file *file, char __user *buf, size_t count, loff_t *ppos){ struct sysfs_buffer * buffer = file->private_data; ssize_t retval = 0; mutex_lock(&buffer->mutex); if (buffer->needs_read_fill || *ppos == 0) { retval = fill_read_buffer(file->f_path.dentry,buffer);//最终需要执行的是这个函数, if (retval) goto out; } pr_debug("%s: count = %zd, ppos = %lld, buf = %s\n", __func__, count, *ppos, buffer->page); retval = simple_read_from_buffer(buf, count, ppos, buffer->page, buffer->count);//这个函数需要格外注意out: mutex_unlock(&buffer->mutex); return retval;}接下来查看fill_read_buffer源码
static int fill_read_buffer(struct dentry * dentry, struct sysfs_buffer * buffer){ struct sysfs_dirent *attr_sd = dentry->d_fsdata; struct kobject *kobj = attr_sd->s_parent->s_dir.kobj; const struct sysfs_ops * ops = buffer->ops; int ret = 0; ssize_t count; if (!buffer->page) buffer->page = (char *) get_zeroed_page(GFP_KERNEL); if (!buffer->page) return -ENOMEM; /* need attr_sd for attr and ops, its parent for kobj */ if (!sysfs_get_active(attr_sd)) return -ENODEV; buffer->event = atomic_read(&attr_sd->s_attr.open->event); count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);//sysfs文件实现的show函数 sysfs_put_active(attr_sd); /* * The code works fine with PAGE_SIZE return but it's likely to * indicate truncated result or overflow in normal use cases. */ if (count >= (ssize_t)PAGE_SIZE) { print_symbol("fill_read_buffer: %s returned bad count\n", (unsigned long)ops->show); /* Try to struggle along */ count = PAGE_SIZE - 1; } if (count >= 0) { buffer->needs_read_fill = 0; buffer->count = count; } else { ret = count; } return ret;}
安全性分析:在执行show函数时,其传入的buffer是安全的sysfs_buffer创建的内核态的buf,然后经过simple_read_from_buffer函数完成赋值,因此,sysfs在read过程是安全的,其中包含的函数是copy_to_user的安全函数,因此,可控的变量只有一个count
同理可以分析sysfs的write到store的过程,可控的变量也仅仅只有一个count(flush_write_buffer)
4.3 linux 4.4中Sysfs的实现
关于attribute和kobject的基本内容这里就忽略了
当创建的是device文件时
文件路径:linux/device.h
这个文件中包含下面四个宏(总线,类别,驱动,设备)
#define BUS_ATTR(_name, _mode, _show, _store)\struct bus_attribute bus_attr_##_name = __ATTR(_name, _mode, _show, _store)#define BUS_ATTR_RW(_name) \struct bus_attribute bus_attr_##_name = __ATTR_RW(_name)#define BUS_ATTR_RO(_name) \struct bus_attribute bus_attr_##_name = __ATTR_RO(_name)
#define DEVICE_ATTR(_name, _mode, _show, _store) \<span style="white-space:pre"></span>struct device_attribute dev_attr_##_name = __ATTR(_name, _mode, _show, _store)#define DEVICE_ATTR_RW(_name) \<span style="white-space:pre"></span>struct device_attribute dev_attr_##_name = __ATTR_RW(_name)#define DEVICE_ATTR_RO(_name) \<span style="white-space:pre"></span>struct device_attribute dev_attr_##_name = __ATTR_RO(_name)#define DEVICE_ATTR_WO(_name) \<span style="white-space:pre"></span>struct device_attribute dev_attr_##_name = __ATTR_WO(_name)
#define DRIVER_ATTR(_name, _mode, _show, _store) \struct driver_attribute driver_attr_##_name = __ATTR(_name, _mode, _show, _store)#define DRIVER_ATTR_RW(_name) \struct driver_attribute driver_attr_##_name = __ATTR_RW(_name)#define DRIVER_ATTR_RO(_name) \struct driver_attribute driver_attr_##_name = __ATTR_RO(_name)#define DRIVER_ATTR_WO(_name) \struct driver_attribute driver_attr_##_name = __ATTR_WO(_name)
#define CLASS_ATTR(_name, _mode, _show, _store) \struct class_attribute class_attr_##_name = __ATTR(_name, _mode, _show, _store)#define CLASS_ATTR_RW(_name) \struct class_attribute class_attr_##_name = __ATTR_RW(_name)#define CLASS_ATTR_RO(_name) \struct class_attribute class_attr_##_name = __ATTR_RO(_name)
其中以device为例,创建时调用
extern int device_create_file(struct device *device, const struct device_attribute *entry);
/** * device_create_file - create sysfs attribute file for device. * @dev: device. * @attr: device attribute descriptor. */int device_create_file(struct device *dev, const struct device_attribute *attr){int error = 0;if (dev) {WARN(((attr->attr.mode & S_IWUGO) && !attr->store),"Attribute %s: write permission without 'store'\n",attr->attr.name);WARN(((attr->attr.mode & S_IRUGO) && !attr->show),"Attribute %s: read permission without 'show'\n",attr->attr.name);error = sysfs_create_file(&dev->kobj, &attr->attr);}return error;}进一步的进入
static inline int __must_check sysfs_create_file(struct kobject *kobj, const struct attribute *attr){return sysfs_create_file_ns(kobj, attr, NULL);}
int sysfs_add_file_mode_ns(struct kernfs_node *parent, const struct attribute *attr, bool is_bin, umode_t mode, const void *ns){struct lock_class_key *key = NULL;const struct kernfs_ops *ops;struct kernfs_node *kn;loff_t size;if (!is_bin) {struct kobject *kobj = parent->priv;const struct sysfs_ops *sysfs_ops = kobj->ktype->sysfs_ops;/* every kobject with an attribute needs a ktype assigned */if (WARN(!sysfs_ops, KERN_ERR "missing sysfs attribute operations for kobject: %s\n", kobject_name(kobj)))return -EINVAL;if (sysfs_ops->show && sysfs_ops->store) {if (mode & SYSFS_PREALLOC)ops = &sysfs_prealloc_kfops_rw;elseops = &sysfs_file_kfops_rw;} else if (sysfs_ops->show) {if (mode & SYSFS_PREALLOC)ops = &sysfs_prealloc_kfops_ro;elseops = &sysfs_file_kfops_ro;} else if (sysfs_ops->store) {if (mode & SYSFS_PREALLOC)ops = &sysfs_prealloc_kfops_wo;elseops = &sysfs_file_kfops_wo;} elseops = &sysfs_file_kfops_empty;size = PAGE_SIZE;} else {struct bin_attribute *battr = (void *)attr;if (battr->mmap)ops = &sysfs_bin_kfops_mmap;else if (battr->read && battr->write)ops = &sysfs_bin_kfops_rw;else if (battr->read)ops = &sysfs_bin_kfops_ro;else if (battr->write)ops = &sysfs_bin_kfops_wo;elseops = &sysfs_file_kfops_empty;size = battr->size;}
通过上面这个函数,完成file_operations的赋值
其中,
/* interface for exporting device attributes */struct device_attribute { struct attribute attr; ssize_t (*show)(struct device *dev, struct device_attribute *attr, char *buf); ssize_t (*store)(struct device *dev, struct device_attribute *attr, const char *buf, size_t count);};
文件路径:linux/sysfs.h
#define __ATTR(_name, _mode, _show, _store) { \ .attr = {.name = __stringify(_name), \ .mode = VERIFY_OCTAL_PERMISSIONS(_mode) }, \ .show = _show, \ .store = _store, \}
其中:
static const struct kernfs_ops sysfs_file_kfops_empty = {};static const struct kernfs_ops sysfs_file_kfops_ro = {.seq_show= sysfs_kf_seq_show,};static const struct kernfs_ops sysfs_file_kfops_wo = {.write= sysfs_kf_write,};static const struct kernfs_ops sysfs_file_kfops_rw = {.seq_show= sysfs_kf_seq_show,.write= sysfs_kf_write,};static const struct kernfs_ops sysfs_prealloc_kfops_ro = {.read= sysfs_kf_read,.prealloc= true,};static const struct kernfs_ops sysfs_prealloc_kfops_wo = {.write= sysfs_kf_write,.prealloc= true,};static const struct kernfs_ops sysfs_prealloc_kfops_rw = {.read= sysfs_kf_read,.write= sysfs_kf_write,.prealloc= true,};static const struct kernfs_ops sysfs_bin_kfops_ro = {.read= sysfs_kf_bin_read,};static const struct kernfs_ops sysfs_bin_kfops_wo = {.write= sysfs_kf_bin_write,};static const struct kernfs_ops sysfs_bin_kfops_rw = {.read= sysfs_kf_bin_read,.write= sysfs_kf_bin_write,};static const struct kernfs_ops sysfs_bin_kfops_mmap = {.read= sysfs_kf_bin_read,.write= sysfs_kf_bin_write,.mmap= sysfs_kf_bin_mmap,};
最终通过调用到这个得到sysfs ops
/* * Determine ktype->sysfs_ops for the given kernfs_node. This function * must be called while holding an active reference. */static const struct sysfs_ops *sysfs_file_ops(struct kernfs_node *kn){struct kobject *kobj = kn->parent->priv;if (kn->flags & KERNFS_LOCKDEP)lockdep_assert_held(kn);return kobj->ktype ? kobj->ktype->sysfs_ops : NULL;}
上面分析了创建的流程,
因此,当真正read的时候,流程也就比较清晰了
static struct kobj_type device_ktype = {.release= device_release,.sysfs_ops= &dev_sysfs_ops,.namespace= device_namespace,};
找到这个而文件的kobject,进一步就可以找到
static const struct sysfs_ops dev_sysfs_ops = {.show= dev_attr_show,.store= dev_attr_store,};这里就是read,和write操作
static ssize_t dev_attr_show(struct kobject *kobj, struct attribute *attr, char *buf){struct device_attribute *dev_attr = to_dev_attr(attr);struct device *dev = kobj_to_dev(kobj);ssize_t ret = -EIO;if (dev_attr->show)ret = dev_attr->show(dev, dev_attr, buf);//这里就是DEVICE_ATTR当时返回的attr中的opsif (ret >= (ssize_t)PAGE_SIZE) {print_symbol("dev_attr_show: %s returned bad count\n",(unsigned long)dev_attr->show);}return ret;}static ssize_t dev_attr_store(struct kobject *kobj, struct attribute *attr, const char *buf, size_t count){struct device_attribute *dev_attr = to_dev_attr(attr);struct device *dev = kobj_to_dev(kobj);ssize_t ret = -EIO;if (dev_attr->store)ret = dev_attr->store(dev, dev_attr, buf, count);return ret;}
安全性分析,后续补充
- Sysfs文件系统read流程安全性分析
- sysfs 文件系统简单分析
- sysfs 文件系统
- SYSFS文件系统
- sysfs 文件系统
- sysfs文件系统
- sysfs 文件系统
- sysfs文件系统
- sysfs文件系统
- sysfs文件系统
- sysfs文件系统
- sysfs文件系统
- sysfs文件系统
- Sysfs文件系统
- sysfs文件系统
- sysfs 文件系统
- Sysfs文件系统
- sysfs 文件系统
- Android下单元测试
- Robot Framework 教程 - 一个完整的例子
- HTTP缓存的机制有哪些?
- 异常整理之:java.lang.NoClassDefFoundError:org/hamcrest/SelfDescribing
- DataX学习笔记-Writer插件开发
- Sysfs文件系统read流程安全性分析
- TFDS中检测算法的应用
- 149_缓存网络数据
- AndroidJNI 通过C++调用JAVA
- c++作业6
- S3C2440 之USB设备篇
- error和exception有什么区别?
- Java 内部类访问格式
- LCS-DP