python venv

为了避免 python 包和 apt 安装的包冲突

3 Ways to Solve Pip Install Error on Ubuntu 23.04 - OMG! Ubuntu

• 对于在 Ubuntu/Debian repos 中的 package 可以使用 aot install python3-xyz
• pipx 的适用场景比较单一，它只适用于安装和运行那些有提供命令行入口的 app。

查看保护 config

Slub Freelist Hardened

• 去 /porc/config.gz 下面看
• 去 /boot/config 下面看

需要开启内核配置项 CONFIG_IKCONFIG 才会生成这个文件。

/proc/config.gz  
This file shows you the compile-time configuration settings for the kernel (gzip compressed, use zcat or zless to see its contents). It is available only if you enable it using CONFIG_IKCONFIG_PROC when you compile.

Say you want to upgrade to the next available kernel. Your current kernel works fine, so you'd like to use the same parameters, but you accidentally lost your original .config configuration file. Simplyzcat /proc/config.gz > /usr/src/linux/.config and you're ready to go.

恢复符号表

marin-m/vmlinux-to-elf:

linux/scripts/extract-vmlinux

kernel 调试

主要参考了这个 Kernel pwn CTF 入门 | Kiprey’s Blog

断点断不下来

exp 可以断

原来要加基址

water_ker

强网拟态2023 Writeup - 星盟安全团队

打印结构体

https://github.com/ocastejon/linux-kernel-learning/blob/main/notes/slab-allocator.md

有两个 extern 变量

kmalloc_caches [NR_KMALLOC_TYPES][KMALLOC_SHIFT_HIGH + 1];

其中 NR_KMALLOC_TYPES 是类型，KMALLOC_SHIFT_HIGH + 1 表示其大小

pwndbg> p &kmalloc_caches
$22 = (struct kmem_cache *(*)[4][14]) 0xffffffff828512e0
// 有 4 种类型，大小有 14 种

kmalloc_caches[51] 的地址:

pwndbg> p kmalloc_caches[3][9]
$42 = (struct kmem_cache *) 0xffff888004c44100

slab_caches

slab cache 的分类

• Dedicated: They are created by the Linux kernel, and each one is used to hold only given type of a (commonly used) object such as mm_struct or cred_jar
• Generic: General purpose caches that can hold any object of a specific size (plus padding). Usually, these caches have objects of sizes of power of two. When calling kmalloc() the, the returned allocated memory will be in one of such caches (like kmalloc-32, kmalloc-64, …) depending on the size requested.

kmalloc_trace

kmalloc_trace 函数是一个包装了常规内存分配的追踪和检查功能的工具。它不仅执行常规的内存分配，还记录有关分配的信息，并通过 KASAN 进行额外的错误检测。

void *kmalloc_trace(struct kmem_cache *s, gfp_t gfpflags, size_t size)
{
    void *ret = __kmem_cache_alloc_node(s, gfpflags, NUMA_NO_NODE,
                        size, _RET_IP_);

    trace_kmalloc(_RET_IP_, ret, size, s->size, gfpflags, NUMA_NO_NODE);

    ret = kasan_kmalloc(s, ret, size, gfpflags);
    return ret;
}
EXPORT_SYMBOL(kmalloc_trace);

gfpflags 的定义在 gfp_types.h

题目中的 0x400cc0 对应 #define GFP_KERNEL  (__GFP_RECLAIM | __GFP_IO | __GFP_FS)