SlideShare a Scribd company logo

Process Address Space: The way to create virtual address (page table) of userspace application

Adrian Huang
Adrian Huang

Process Address Space: The way to create virtual address (page table) of userspace application. Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).

1 of 47
Downloaded 72 times
Process Address Space: The way to create virtual address (page table) of userspace application Adrian Huang | Oct, 2021 * Based on kernel 5.11 (x86_64) – QEMU * SMP (4 CPUs) and 8GB memory * Kernel parameter: nokaslr norandmaps * Userspace: ASLR is disabled * Legacy BIOS
Agenda • 64-bit Virtual Address • mm_struct & VMA • Detail about stack • Stack configuration via bprm_execve() • Important function: load_elf_binary() • Auxiliary Vector • How does Linux call your main() function? The call path? • Statically-linked program • Base address: 0x400000 • Dynamically-linked program • Base address: 0x555555554000 • Do you know why the base address of a dynamically-linked program is the base address ‘0x555555554000’?
64-bit Process Virtual Address Kernel Space 0x0000_7FFF_FFFF_FFFF 0xFFFF_8000_0000_0000 128TB 64-bit Virtual Address 0 0xFFFF_FFFF_FFFF_FFFF • [Option 1] Disable ASLR (Address Space Layout Randomization) # echo 0 > /proc/sys/kernel/randomize_va_space • [Option 2] kernel parameter: norandmaps Note: Disable User Space Address Randomization Empty Space User Space 128TB 128MB gap
Process Address Space – mm_struct & VMA
Process Address Space – mm_struct & VMA
Process Address Space – mm_struct & VMA
64-bit Process Virtual Address – Stack Layout
wait for user input while(1) fork child parent shell_execve execve(command, args, env) shell (ex: bash) - `cat hello.c` File name (Ex: /bin/mount) 4KB - Hole Environment strings Command-line arguments Dynamic linker’s table (Auxiliary Vector) envp[] argv[] argc Return address User space stack created by kernel Kernel copy from user copy from user copy from user Stack layout when executing a command
vma->vm_end = STACK_TOP_MAX = 0x7FFF_FFFF_F000 4KB (PAGE_SIZE) vma->vm_start = 0x7FFF_FFFF_E000 4KB - hole 0x7FFF_FFFF_FFFF User Space Stack bprm->p = vma->vm_end - sizeof(void *) = 0x7FFF_FFFF_EFF8 (Current top of memory) kernel_init -> run_init_process: init process (pid = 1) - Stack 1 2 1 2 linux_binprm vma vma_pages mm struct file *executable struct file *interpreter struct file *file const char *filename = “/init” const char *interp = “/init” argc = 2 envc = 3 rlmit_stack char buf[]
[Argument/environment space] Case #1 [Argument/environment space] Case #2 kernel_init -> run_init_process: init process (pid = 1) - Stack
kernel_init -> run_init_process: init process (pid = 1) - Stack
1 2 3 4 kernel_init -> run_init_process: init process (pid = 1) - Stack
kernel_init -> run_init_process: init process (pid = 1) - Stack
kernel_init -> run_init_process: init process (pid = 1) - Stack
kernel_init -> run_init_process: init process (pid = 1) - Stack
struct file *executable struct file *interpreter struct file *file const char *filename = “/init” const char *interp = “/init” argc = 2 envc = 3 kernel_read rlmit_stack char buf[] linux_binprm vma vma_pages mm kernel_init -> run_init_process: init process (pid = 1) - Stack
struct file *executable struct file *interpreter struct file *file const char *filename = “/init” const char *interp = “/init” “/bin/sh” argc = 2 3 envc = 3 kernel_read rlmit_stack char buf[] linux_binprm vma vma_pages mm file: /bin/sh file: /init kernel_init -> run_init_process: init process (pid = 1) - Stack
struct file *executable struct file *interpreter struct file *file const char *filename = “/init” const char *interp = “/init” “/bin/sh” argc = 2 3 envc = 3 kernel_read rlmit_stack char buf[] linux_binprm vma vma_pages mm file: /bin/sh file: /init struct file *executable struct file *interpreter = NULL struct file *file const char *filename = “/init” const char *interp = “/init” “/bin/sh” argc = 2 3 envc = 3 kernel_read rlmit_stack char buf[] linux_binprm vma vma_pages mm file: /bin/sh kernel_init -> run_init_process: init process (pid = 1)
struct file *executable struct file *interpreter = NULL struct file *file const char *filename = “/init” const char *interp = “/init” “/bin/sh” argc = 2 3 envc = 3 kernel_read rlmit_stack char buf[] linux_binprm vma vma_pages mm file: /bin/sh depth = 1 kernel_init -> run_init_process: init process (pid = 1)
kernel_init -> run_init_process: init process (pid = 1) [Dynamic linking] ld-Linux.so: dynamic linker/loader • Find and load the shared objects (shared libraries) needed by a program, prepare the program to run, and then run it • `man ld-linux` depth = 1
kernel_init -> run_init_process: init process (pid = 1) de_thread(): All threads other than the calling thread are destroyed during an execve(). Mutexes, condition variables, and other pthreads objects are not preserved. unshare_files(): The file descriptor table is unshared, undoing the effect of the CLONE_FILES flag of clone(2). exec_mmap(): 1. The program that is currently being run by the calling process to be replaced with a new program, with newly initialized stack, heap, and (initialized and uninitialized) data segments. 2. Memory mappings are not preserved. unshare_sighand(): The signal dispositions is unshared, undoing the effect of the CLONE_SIGHAND flag of clone(2) – Not from `man execve` do_close_on_exec(): By default, file descriptors remain open across an execve(). File descriptors that are marked close-on-exec are closed. Description from `man execve`
kernel_init -> run_init_process: init process (pid = 1) CLONE_FILES flag is set
kernel_init -> run_init_process: init process (pid = 1)
load_elf_binary()->setup_new_exec()
kernel_init -> run_init_process: init process (pid = 1)
load_elf_binary()->setup_arg_pages() expand_stack()
load_elf_binary()->setup_arg_pages()
load_elf_binary(): load PT_LOAD program headers
load_elf_binary(): load PT_LOAD program headers Note: statically linked program
set_brk() & padzero()
load_elf_binary(): set_brk() & padzero() Note: statically linked program
create_elf_tables() create_elf_tables()
create_elf_tables() – User space stack
mm_struct unsigned long saved_auxv[] create_elf_tables() - Auxiliary Vector Auxiliary Table Entry Value Auxiliary Table Entry ID Auxiliary Table Entry Value Auxiliary Table Entry ID . . saved_auxv[0] saved_auxv[1] saved_auxv[n] filename: “/init” 4KB - hole 8-byte hole dyndbg=file arch/x86/mm/init.c +p TERM=linux HOME=/ nokaslr /init Stack Guard Gap /bin/sh mmap ELF_PLATFORM: “x86_64” 16-byte random characters Auxiliary Vector envp[2] envp[1] envp[0] argv[2] argv[1] argv[0] argc = bprm->argc (=3) 0 0 User Space Virtual Memory Layout - Stack More Info • `man getauxval` • https://lwn.net/Articles /519085/
load_elf_binary()
load_elf_binary() -> START_THREAD()
load_elf_binary() -> START_THREAD() – Statically-linked program STACK_END_MAGIC = 0x57AC6E9D struct pt_regs (save CPU registers for userspace application) task.stack THREAD_SIZE = 16KB kernel stack usage space task.stack + THREAD_SIZE struct inactive_task_frame task.thread_struct.sp struct fork_frame Kernel Stack _start() in executable file ‘busybox’
STACK_END_MAGIC ip = 0x401c10 kernel stack usage space struct inactive_task_frame Kernel Stack … pt_regs File name (Ex: /tmp/hello) 4KB - Hole Environment strings Command-line arguments Dynamic linker’s table (Auxiliary Vector) envp[] argv[] argc Return address User Space Stack /tmp/hello _start __libc_start_main - LIBC_START_MAIN in csu/libc-start.c (/lib/x86_64-linux-gnu/libc.so.6 -> libc-2.31.so) Pass address of main() main Statically-linked program (OS: Ubuntu 20.04.3)
STACK_END_MAGIC ip = 0x7ffff7fd0100 kernel stack usage space struct inactive_task_frame Kernel Stack Dynamically-linked program (OS: Ubuntu 20.04.3) … pt_regs _start _dl_start _dl_start_final _dl_sysdep_start Parse auxiliary vector: For example: Get ‘AT_ENTRY’ value = 0x555555555060 dl_main File name (Ex: /tmp/hello) 4KB - Hole Environment strings Command-line arguments Dynamic linker’s table (Auxiliary Vector) envp[] argv[] argc Return address User Space Stack load binary/libraries and perform relocation _dl_start_user [Function Return] Next IP of _dl_start() Return value of _dl_start() = Address of _start() of the executable file /lib64/ld-linux-x86-64.so.2 -> /lib/x86_64-linux-gnu/ld-2.31.so Jump to ‘AT_ENTRY’ value = 0x555555555060 /tmp/hello _start __libc_start_main - LIBC_START_MAIN in csu/libc-start.c (/lib/x86_64-linux-gnu/libc.so.6 -> libc-2.31.so) Pass address of main() main
STACK_END_MAGIC ip = 0x7ffff7fd0100 kernel stack usage space struct inactive_task_frame Kernel Stack Dynamically-linked program (OS: Ubuntu 20.04.3) … pt_regs +
/lib64/ld-linux-x86-64.so.2 _start _dl_start _dl_start_user [Function Return] Next IP of _dl_start() Return value of _dl_start() = Address of _start() of the executable file /lib64/ld-linux-x86-64.so.2 -> /lib/x86_64-linux-gnu/ld-2.31.so Jump to ‘AT_ENTRY’ value = 0x555555555060 Ubuntu 20.04.3 RHEL8.2
[Dynamically-linked program] Executable file: where is “_start()” from? *crt*.o (C Runtime): A set of execution startup routines linked into a C program that performs initialization work before calling the program’s main function. Reference https://dev.gentoo.org/~vapier/crt.txt https://en.wikipedia.org/wiki/Crt0
[Dynamically-linked program] Executable file: where is “_start()” from?
Auxiliary vector & base address of a program Dynamically-linked program Statically-linked program + Why is the base address ‘0x555555554000’ for a dynamically-linked program?
Why is the base address ‘0x555555554000’ for a dynamically-linked program?
Demand paging Demand paging: copy a disk page into physical memory if a page fault occurs
Demand paging Demand paging: copy a disk page into physical memory if a page fault occurs
Ad

Recommended

Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdf
Adrian Huang
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File System
Adrian Huang
 
semaphore & mutex.pdf
semaphore & mutex.pdfsemaphore & mutex.pdf
semaphore & mutex.pdf
Adrian Huang
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux Kernel
Adrian Huang
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux Kernel
Adrian Huang
 
Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)
Adrian Huang
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in Linux
Adrian Huang
 
Decompressed vmlinux: linux kernel initialization from page table configurati...
Decompressed vmlinux: linux kernel initialization from page table configurati...Decompressed vmlinux: linux kernel initialization from page table configurati...
Decompressed vmlinux: linux kernel initialization from page table configurati...
Adrian Huang
 
Physical Memory Models.pdf
Physical Memory Models.pdfPhysical Memory Models.pdf
Physical Memory Models.pdf
Adrian Huang
 
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
Adrian Huang
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Adrian Huang
 
Memory Compaction in Linux Kernel.pdf
Memory Compaction in Linux Kernel.pdfMemory Compaction in Linux Kernel.pdf
Memory Compaction in Linux Kernel.pdf
Adrian Huang
 
Reverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelReverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux Kernel
Adrian Huang
 
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
Adrian Huang
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernel
Adrian Huang
 
Memory Management with Page Folios
Memory Management with Page FoliosMemory Management with Page Folios
Memory Management with Page Folios
Adrian Huang
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Anne Nicolas
 
spinlock.pdf
spinlock.pdfspinlock.pdf
spinlock.pdf
Adrian Huang
 
Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)
shimosawa
 
Linux MMAP & Ioremap introduction
Linux MMAP & Ioremap introductionLinux MMAP & Ioremap introduction
Linux MMAP & Ioremap introduction
Gene Chang
 
Memory management in Linux kernel
Memory management in Linux kernelMemory management in Linux kernel
Memory management in Linux kernel
Vadim Nikitin
 
Linux Synchronization Mechanism: RCU (Read Copy Update)
Linux Synchronization Mechanism: RCU (Read Copy Update)Linux Synchronization Mechanism: RCU (Read Copy Update)
Linux Synchronization Mechanism: RCU (Read Copy Update)
Adrian Huang
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at Netflix
Brendan Gregg
 
Kdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysisKdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysis
Buland Singh
 
Linux Memory Management
Linux Memory ManagementLinux Memory Management
Linux Memory Management
Ni Zo-Ma
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
libfetion
 
Linux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKBLinux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKB
shimosawa
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)
shimosawa
 
Exploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelExploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernel
Vitaly Nikolenko
 
Systemcall1
Systemcall1Systemcall1
Systemcall1
pavimalpani
 
Ad

More Related Content

What's hot (20)

Physical Memory Models.pdf
Physical Memory Models.pdfPhysical Memory Models.pdf
Physical Memory Models.pdf
Adrian Huang
 
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
Adrian Huang
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Adrian Huang
 
Memory Compaction in Linux Kernel.pdf
Memory Compaction in Linux Kernel.pdfMemory Compaction in Linux Kernel.pdf
Memory Compaction in Linux Kernel.pdf
Adrian Huang
 
Reverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelReverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux Kernel
Adrian Huang
 
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
Adrian Huang
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernel
Adrian Huang
 
Memory Management with Page Folios
Memory Management with Page FoliosMemory Management with Page Folios
Memory Management with Page Folios
Adrian Huang
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Anne Nicolas
 
spinlock.pdf
spinlock.pdfspinlock.pdf
spinlock.pdf
Adrian Huang
 
Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)
shimosawa
 
Linux MMAP & Ioremap introduction
Linux MMAP & Ioremap introductionLinux MMAP & Ioremap introduction
Linux MMAP & Ioremap introduction
Gene Chang
 
Memory management in Linux kernel
Memory management in Linux kernelMemory management in Linux kernel
Memory management in Linux kernel
Vadim Nikitin
 
Linux Synchronization Mechanism: RCU (Read Copy Update)
Linux Synchronization Mechanism: RCU (Read Copy Update)Linux Synchronization Mechanism: RCU (Read Copy Update)
Linux Synchronization Mechanism: RCU (Read Copy Update)
Adrian Huang
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at Netflix
Brendan Gregg
 
Kdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysisKdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysis
Buland Singh
 
Linux Memory Management
Linux Memory ManagementLinux Memory Management
Linux Memory Management
Ni Zo-Ma
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
libfetion
 
Linux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKBLinux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKB
shimosawa
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)
shimosawa
 
Physical Memory Models.pdf
Physical Memory Models.pdfPhysical Memory Models.pdf
Physical Memory Models.pdf
Adrian Huang
 
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
Adrian Huang
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Adrian Huang
 
Memory Compaction in Linux Kernel.pdf
Memory Compaction in Linux Kernel.pdfMemory Compaction in Linux Kernel.pdf
Memory Compaction in Linux Kernel.pdf
Adrian Huang
 
Reverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelReverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux Kernel
Adrian Huang
 
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
Adrian Huang
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernel
Adrian Huang
 
Memory Management with Page Folios
Memory Management with Page FoliosMemory Management with Page Folios
Memory Management with Page Folios
Adrian Huang
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Anne Nicolas
 
spinlock.pdf
spinlock.pdfspinlock.pdf
spinlock.pdf
Adrian Huang
 
Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)
shimosawa
 
Linux MMAP & Ioremap introduction
Linux MMAP & Ioremap introductionLinux MMAP & Ioremap introduction
Linux MMAP & Ioremap introduction
Gene Chang
 
Memory management in Linux kernel
Memory management in Linux kernelMemory management in Linux kernel
Memory management in Linux kernel
Vadim Nikitin
 
Linux Synchronization Mechanism: RCU (Read Copy Update)
Linux Synchronization Mechanism: RCU (Read Copy Update)Linux Synchronization Mechanism: RCU (Read Copy Update)
Linux Synchronization Mechanism: RCU (Read Copy Update)
Adrian Huang
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at Netflix
Brendan Gregg
 
Kdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysisKdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysis
Buland Singh
 
Linux Memory Management
Linux Memory ManagementLinux Memory Management
Linux Memory Management
Ni Zo-Ma
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
libfetion
 
Linux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKBLinux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKB
shimosawa
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)
shimosawa
 

Similar to Process Address Space: The way to create virtual address (page table) of userspace application (20)

Exploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelExploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernel
Vitaly Nikolenko
 
Systemcall1
Systemcall1Systemcall1
Systemcall1
pavimalpani
 
Process and Threads in Linux - PPT
Process and Threads in Linux - PPTProcess and Threads in Linux - PPT
Process and Threads in Linux - PPT
QUONTRASOLUTIONS
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
Hao-Ran Liu
 
Linux Device Driver for Writing a real world driver for embedded Linux
Linux Device Driver for Writing a real world driver for embedded LinuxLinux Device Driver for Writing a real world driver for embedded Linux
Linux Device Driver for Writing a real world driver for embedded Linux
AchyuthShettigar2
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
nullowaspmumbai
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
Ganesh Naik
 
Unix.system.calls
Unix.system.callsUnix.system.calls
Unix.system.calls
GRajendra
 
Input and Output Devices and Systems
Input and Output Devices and SystemsInput and Output Devices and Systems
Input and Output Devices and Systems
Najma Alam
 
Tackling repetitive tasks with serial or parallel programming in R
Tackling repetitive tasks with serial or parallel programming in RTackling repetitive tasks with serial or parallel programming in R
Tackling repetitive tasks with serial or parallel programming in R
Lun-Hsien Chang
 
Linux Foundation Mentorship Sessions - Kernel Livepatch: An Introduction
Linux Foundation Mentorship Sessions - Kernel Livepatch: An IntroductionLinux Foundation Mentorship Sessions - Kernel Livepatch: An Introduction
Linux Foundation Mentorship Sessions - Kernel Livepatch: An Introduction
Marcos de Souza
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
mukul bhardwaj
 
MultiThreading-in-system-and-android-logcat-42-.pdf
MultiThreading-in-system-and-android-logcat-42-.pdfMultiThreading-in-system-and-android-logcat-42-.pdf
MultiThreading-in-system-and-android-logcat-42-.pdf
nasrabadiam
 
Hadoop meetup : HUGFR Construire le cluster le plus rapide pour l'analyse des...
Hadoop meetup : HUGFR Construire le cluster le plus rapide pour l'analyse des...Hadoop meetup : HUGFR Construire le cluster le plus rapide pour l'analyse des...
Hadoop meetup : HUGFR Construire le cluster le plus rapide pour l'analyse des...
Modern Data Stack France
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
Silvio Cesare
 
Writing Character driver (loadable module) in linux
Writing Character driver (loadable module) in linuxWriting Character driver (loadable module) in linux
Writing Character driver (loadable module) in linux
RajKumar Rampelli
 
Char Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesChar Drivers And Debugging Techniques
Char Drivers And Debugging Techniques
YourHelper1
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_Tizen
Lex Yu
 
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
confluent
 
Program Assignment Process ManagementObjective This program a.docx
Program Assignment Process ManagementObjective This program a.docxProgram Assignment Process ManagementObjective This program a.docx
Program Assignment Process ManagementObjective This program a.docx
wkyra78
 
Exploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelExploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernel
Vitaly Nikolenko
 
Systemcall1
Systemcall1Systemcall1
Systemcall1
pavimalpani
 
Process and Threads in Linux - PPT
Process and Threads in Linux - PPTProcess and Threads in Linux - PPT
Process and Threads in Linux - PPT
QUONTRASOLUTIONS
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
Hao-Ran Liu
 
Linux Device Driver for Writing a real world driver for embedded Linux
Linux Device Driver for Writing a real world driver for embedded LinuxLinux Device Driver for Writing a real world driver for embedded Linux
Linux Device Driver for Writing a real world driver for embedded Linux
AchyuthShettigar2
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
nullowaspmumbai
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
Ganesh Naik
 
Unix.system.calls
Unix.system.callsUnix.system.calls
Unix.system.calls
GRajendra
 
Input and Output Devices and Systems
Input and Output Devices and SystemsInput and Output Devices and Systems
Input and Output Devices and Systems
Najma Alam
 
Tackling repetitive tasks with serial or parallel programming in R
Tackling repetitive tasks with serial or parallel programming in RTackling repetitive tasks with serial or parallel programming in R
Tackling repetitive tasks with serial or parallel programming in R
Lun-Hsien Chang
 
Linux Foundation Mentorship Sessions - Kernel Livepatch: An Introduction
Linux Foundation Mentorship Sessions - Kernel Livepatch: An IntroductionLinux Foundation Mentorship Sessions - Kernel Livepatch: An Introduction
Linux Foundation Mentorship Sessions - Kernel Livepatch: An Introduction
Marcos de Souza
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
mukul bhardwaj
 
MultiThreading-in-system-and-android-logcat-42-.pdf
MultiThreading-in-system-and-android-logcat-42-.pdfMultiThreading-in-system-and-android-logcat-42-.pdf
MultiThreading-in-system-and-android-logcat-42-.pdf
nasrabadiam
 
Hadoop meetup : HUGFR Construire le cluster le plus rapide pour l'analyse des...
Hadoop meetup : HUGFR Construire le cluster le plus rapide pour l'analyse des...Hadoop meetup : HUGFR Construire le cluster le plus rapide pour l'analyse des...
Hadoop meetup : HUGFR Construire le cluster le plus rapide pour l'analyse des...
Modern Data Stack France
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
Silvio Cesare
 
Writing Character driver (loadable module) in linux
Writing Character driver (loadable module) in linuxWriting Character driver (loadable module) in linux
Writing Character driver (loadable module) in linux
RajKumar Rampelli
 
Char Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesChar Drivers And Debugging Techniques
Char Drivers And Debugging Techniques
YourHelper1
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_Tizen
Lex Yu
 
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
confluent
 
Program Assignment Process ManagementObjective This program a.docx
Program Assignment Process ManagementObjective This program a.docxProgram Assignment Process ManagementObjective This program a.docx
Program Assignment Process ManagementObjective This program a.docx
wkyra78
 
Ad

Recently uploaded (20)

Adobe Photoshop Lightroom CC 2025 Crack Latest Version
Adobe Photoshop Lightroom CC 2025 Crack Latest VersionAdobe Photoshop Lightroom CC 2025 Crack Latest Version
Adobe Photoshop Lightroom CC 2025 Crack Latest Version
usmanhidray
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
Adobe Photoshop CC 2025 Crack Full Serial Key With Latest
Adobe Photoshop CC 2025 Crack Full Serial Key With LatestAdobe Photoshop CC 2025 Crack Full Serial Key With Latest
Adobe Photoshop CC 2025 Crack Full Serial Key With Latest
usmanhidray
 
Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025
kashifyounis067
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and CollaborateMeet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Maxim Salnikov
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AIScaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
danshalev
 
Salesforce Aged Complex Org Revitalization Process .pdf
Salesforce Aged Complex Org Revitalization Process .pdfSalesforce Aged Complex Org Revitalization Process .pdf
Salesforce Aged Complex Org Revitalization Process .pdf
SRINIVASARAO PUSULURI
 
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
steaveroggers
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Adobe Photoshop Lightroom CC 2025 Crack Latest Version
Adobe Photoshop Lightroom CC 2025 Crack Latest VersionAdobe Photoshop Lightroom CC 2025 Crack Latest Version
Adobe Photoshop Lightroom CC 2025 Crack Latest Version
usmanhidray
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
Adobe Photoshop CC 2025 Crack Full Serial Key With Latest
Adobe Photoshop CC 2025 Crack Full Serial Key With LatestAdobe Photoshop CC 2025 Crack Full Serial Key With Latest
Adobe Photoshop CC 2025 Crack Full Serial Key With Latest
usmanhidray
 
Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025
kashifyounis067
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and CollaborateMeet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Maxim Salnikov
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AIScaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
danshalev
 
Salesforce Aged Complex Org Revitalization Process .pdf
Salesforce Aged Complex Org Revitalization Process .pdfSalesforce Aged Complex Org Revitalization Process .pdf
Salesforce Aged Complex Org Revitalization Process .pdf
SRINIVASARAO PUSULURI
 
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
steaveroggers
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Ad

Process Address Space: The way to create virtual address (page table) of userspace application

  • 1. Process Address Space: The way to create virtual address (page table) of userspace application Adrian Huang | Oct, 2021 * Based on kernel 5.11 (x86_64) – QEMU * SMP (4 CPUs) and 8GB memory * Kernel parameter: nokaslr norandmaps * Userspace: ASLR is disabled * Legacy BIOS
  • 2. Agenda • 64-bit Virtual Address • mm_struct & VMA • Detail about stack • Stack configuration via bprm_execve() • Important function: load_elf_binary() • Auxiliary Vector • How does Linux call your main() function? The call path? • Statically-linked program • Base address: 0x400000 • Dynamically-linked program • Base address: 0x555555554000 • Do you know why the base address of a dynamically-linked program is the base address ‘0x555555554000’?
  • 3. 64-bit Process Virtual Address Kernel Space 0x0000_7FFF_FFFF_FFFF 0xFFFF_8000_0000_0000 128TB 64-bit Virtual Address 0 0xFFFF_FFFF_FFFF_FFFF • [Option 1] Disable ASLR (Address Space Layout Randomization) # echo 0 > /proc/sys/kernel/randomize_va_space • [Option 2] kernel parameter: norandmaps Note: Disable User Space Address Randomization Empty Space User Space 128TB 128MB gap
  • 4. Process Address Space – mm_struct & VMA
  • 5. Process Address Space – mm_struct & VMA
  • 6. Process Address Space – mm_struct & VMA
  • 7. 64-bit Process Virtual Address – Stack Layout
  • 8. wait for user input while(1) fork child parent shell_execve execve(command, args, env) shell (ex: bash) - `cat hello.c` File name (Ex: /bin/mount) 4KB - Hole Environment strings Command-line arguments Dynamic linker’s table (Auxiliary Vector) envp[] argv[] argc Return address User space stack created by kernel Kernel copy from user copy from user copy from user Stack layout when executing a command
  • 9. vma->vm_end = STACK_TOP_MAX = 0x7FFF_FFFF_F000 4KB (PAGE_SIZE) vma->vm_start = 0x7FFF_FFFF_E000 4KB - hole 0x7FFF_FFFF_FFFF User Space Stack bprm->p = vma->vm_end - sizeof(void *) = 0x7FFF_FFFF_EFF8 (Current top of memory) kernel_init -> run_init_process: init process (pid = 1) - Stack 1 2 1 2 linux_binprm vma vma_pages mm struct file *executable struct file *interpreter struct file *file const char *filename = “/init” const char *interp = “/init” argc = 2 envc = 3 rlmit_stack char buf[]
  • 10. [Argument/environment space] Case #1 [Argument/environment space] Case #2 kernel_init -> run_init_process: init process (pid = 1) - Stack
  • 11. kernel_init -> run_init_process: init process (pid = 1) - Stack
  • 12. 1 2 3 4 kernel_init -> run_init_process: init process (pid = 1) - Stack
  • 13. kernel_init -> run_init_process: init process (pid = 1) - Stack
  • 14. kernel_init -> run_init_process: init process (pid = 1) - Stack
  • 15. kernel_init -> run_init_process: init process (pid = 1) - Stack
  • 16. struct file *executable struct file *interpreter struct file *file const char *filename = “/init” const char *interp = “/init” argc = 2 envc = 3 kernel_read rlmit_stack char buf[] linux_binprm vma vma_pages mm kernel_init -> run_init_process: init process (pid = 1) - Stack
  • 17. struct file *executable struct file *interpreter struct file *file const char *filename = “/init” const char *interp = “/init” “/bin/sh” argc = 2 3 envc = 3 kernel_read rlmit_stack char buf[] linux_binprm vma vma_pages mm file: /bin/sh file: /init kernel_init -> run_init_process: init process (pid = 1) - Stack
  • 18. struct file *executable struct file *interpreter struct file *file const char *filename = “/init” const char *interp = “/init” “/bin/sh” argc = 2 3 envc = 3 kernel_read rlmit_stack char buf[] linux_binprm vma vma_pages mm file: /bin/sh file: /init struct file *executable struct file *interpreter = NULL struct file *file const char *filename = “/init” const char *interp = “/init” “/bin/sh” argc = 2 3 envc = 3 kernel_read rlmit_stack char buf[] linux_binprm vma vma_pages mm file: /bin/sh kernel_init -> run_init_process: init process (pid = 1)
  • 19. struct file *executable struct file *interpreter = NULL struct file *file const char *filename = “/init” const char *interp = “/init” “/bin/sh” argc = 2 3 envc = 3 kernel_read rlmit_stack char buf[] linux_binprm vma vma_pages mm file: /bin/sh depth = 1 kernel_init -> run_init_process: init process (pid = 1)
  • 20. kernel_init -> run_init_process: init process (pid = 1) [Dynamic linking] ld-Linux.so: dynamic linker/loader • Find and load the shared objects (shared libraries) needed by a program, prepare the program to run, and then run it • `man ld-linux` depth = 1
  • 21. kernel_init -> run_init_process: init process (pid = 1) de_thread(): All threads other than the calling thread are destroyed during an execve(). Mutexes, condition variables, and other pthreads objects are not preserved. unshare_files(): The file descriptor table is unshared, undoing the effect of the CLONE_FILES flag of clone(2). exec_mmap(): 1. The program that is currently being run by the calling process to be replaced with a new program, with newly initialized stack, heap, and (initialized and uninitialized) data segments. 2. Memory mappings are not preserved. unshare_sighand(): The signal dispositions is unshared, undoing the effect of the CLONE_SIGHAND flag of clone(2) – Not from `man execve` do_close_on_exec(): By default, file descriptors remain open across an execve(). File descriptors that are marked close-on-exec are closed. Description from `man execve`
  • 22. kernel_init -> run_init_process: init process (pid = 1) CLONE_FILES flag is set
  • 23. kernel_init -> run_init_process: init process (pid = 1)
  • 25. kernel_init -> run_init_process: init process (pid = 1)
  • 29. load_elf_binary(): load PT_LOAD program headers Note: statically linked program
  • 31. load_elf_binary(): set_brk() & padzero() Note: statically linked program
  • 34. mm_struct unsigned long saved_auxv[] create_elf_tables() - Auxiliary Vector Auxiliary Table Entry Value Auxiliary Table Entry ID Auxiliary Table Entry Value Auxiliary Table Entry ID . . saved_auxv[0] saved_auxv[1] saved_auxv[n] filename: “/init” 4KB - hole 8-byte hole dyndbg=file arch/x86/mm/init.c +p TERM=linux HOME=/ nokaslr /init Stack Guard Gap /bin/sh mmap ELF_PLATFORM: “x86_64” 16-byte random characters Auxiliary Vector envp[2] envp[1] envp[0] argv[2] argv[1] argv[0] argc = bprm->argc (=3) 0 0 User Space Virtual Memory Layout - Stack More Info • `man getauxval` • https://lwn.net/Articles /519085/
  • 37. load_elf_binary() -> START_THREAD() – Statically-linked program STACK_END_MAGIC = 0x57AC6E9D struct pt_regs (save CPU registers for userspace application) task.stack THREAD_SIZE = 16KB kernel stack usage space task.stack + THREAD_SIZE struct inactive_task_frame task.thread_struct.sp struct fork_frame Kernel Stack _start() in executable file ‘busybox’
  • 38. STACK_END_MAGIC ip = 0x401c10 kernel stack usage space struct inactive_task_frame Kernel Stack … pt_regs File name (Ex: /tmp/hello) 4KB - Hole Environment strings Command-line arguments Dynamic linker’s table (Auxiliary Vector) envp[] argv[] argc Return address User Space Stack /tmp/hello _start __libc_start_main - LIBC_START_MAIN in csu/libc-start.c (/lib/x86_64-linux-gnu/libc.so.6 -> libc-2.31.so) Pass address of main() main Statically-linked program (OS: Ubuntu 20.04.3)
  • 39. STACK_END_MAGIC ip = 0x7ffff7fd0100 kernel stack usage space struct inactive_task_frame Kernel Stack Dynamically-linked program (OS: Ubuntu 20.04.3) … pt_regs _start _dl_start _dl_start_final _dl_sysdep_start Parse auxiliary vector: For example: Get ‘AT_ENTRY’ value = 0x555555555060 dl_main File name (Ex: /tmp/hello) 4KB - Hole Environment strings Command-line arguments Dynamic linker’s table (Auxiliary Vector) envp[] argv[] argc Return address User Space Stack load binary/libraries and perform relocation _dl_start_user [Function Return] Next IP of _dl_start() Return value of _dl_start() = Address of _start() of the executable file /lib64/ld-linux-x86-64.so.2 -> /lib/x86_64-linux-gnu/ld-2.31.so Jump to ‘AT_ENTRY’ value = 0x555555555060 /tmp/hello _start __libc_start_main - LIBC_START_MAIN in csu/libc-start.c (/lib/x86_64-linux-gnu/libc.so.6 -> libc-2.31.so) Pass address of main() main
  • 40. STACK_END_MAGIC ip = 0x7ffff7fd0100 kernel stack usage space struct inactive_task_frame Kernel Stack Dynamically-linked program (OS: Ubuntu 20.04.3) … pt_regs +
  • 41. /lib64/ld-linux-x86-64.so.2 _start _dl_start _dl_start_user [Function Return] Next IP of _dl_start() Return value of _dl_start() = Address of _start() of the executable file /lib64/ld-linux-x86-64.so.2 -> /lib/x86_64-linux-gnu/ld-2.31.so Jump to ‘AT_ENTRY’ value = 0x555555555060 Ubuntu 20.04.3 RHEL8.2
  • 42. [Dynamically-linked program] Executable file: where is “_start()” from? *crt*.o (C Runtime): A set of execution startup routines linked into a C program that performs initialization work before calling the program’s main function. Reference https://dev.gentoo.org/~vapier/crt.txt https://en.wikipedia.org/wiki/Crt0
  • 43. [Dynamically-linked program] Executable file: where is “_start()” from?
  • 44. Auxiliary vector & base address of a program Dynamically-linked program Statically-linked program + Why is the base address ‘0x555555554000’ for a dynamically-linked program?
  • 45. Why is the base address ‘0x555555554000’ for a dynamically-linked program?
  • 46. Demand paging Demand paging: copy a disk page into physical memory if a page fault occurs
  • 47. Demand paging Demand paging: copy a disk page into physical memory if a page fault occurs