Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Simplified module to use sysfs instead of debugfs

Instead of coping with the debugfs the module now declares two
read only module parameters -- read and call.  They appear in
sysfs under /sys/module/nullderef/parameters.
  • Loading branch information...
commit 89af022fa81ece97b3bc24ac133e6d3925679418 1 parent 2243edc
@mina86 mina86 authored
Showing with 27 additions and 102 deletions.
  1. +4 −4 Makefile
  2. +8 −14 README
  3. +15 −84 nullderef.c
View
8 Makefile
@@ -1,6 +1,6 @@
obj-m = nullderef.o
-M=$(shell pwd)
-
-all:
- make -C /lib/modules/$(shell uname -r)/build/ M=$(M) modules
+nullderef.ko: nullderef.c
+ $(MAKE) -C '/lib/modules/$(shell uname -r)/source' \
+ O='/lib/modules/$(shell uname -r)/build/' \
+ "M=$$PWD" modules
View
22 README
@@ -13,23 +13,17 @@ file.
USING
-nullderef uses debugfs to export its hooks. In order to you use it,
-you'll need mount debugfs somewhere. /sys/kernel/debug is traditional,
-so try (as root):
+nullderef uses sysfs to export its hooks. Simply
+ # insmod nullderef.ko
- # mount debugfs -t debugfs /sys/kernel/debug/
+You shuld now have a /sys/module/nullderef/parameters/ directory,
+containing two files, "read", and "call".
-And then simply
- # insmod nullderef.ko
+Reading from either of these files will result in a NULL pointer
+dereference in the kernel. "read" will simply try to read a NULL
+pointer. "call" will read a function pointer from the NULL address,
+and then attempt to call through the resulting pointer.
Once you're done crashing your kernel, if your machine is still
stable, you can remove the module using:
# rmmod nullderef
-
-You shuld now have a /sys/kernel/debug/nullderef/ directory,
-containing two files, "null_read", and "null_call".
-
-Writing to either of these files will result in a NULL pointer
-dereference in the kernel. "null_read" will simply try to read a NULL
-pointer. "null_call" will read a function pointer from the NULL
-address, and then attempt to call through the resulting pointer.
View
99 nullderef.c
@@ -8,6 +8,8 @@
*
* Author: Nelson Elhage <nelhage@ksplice.com>
*
+ * Simplified greatly by Michal Nazarewicz <mina86@mina86.com>
+ *
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, version 2 of the
@@ -15,9 +17,6 @@
*
*/
#include <linux/module.h>
-#include <linux/sched.h>
-#include <linux/hardirq.h>
-#include <linux/debugfs.h>
/*
* Define an 'ops' struct containing a single mostly-pointless
@@ -32,98 +31,30 @@ struct my_ops {
static struct my_ops *ops = NULL;
/*
- * Writing to the 'null_read' file just reads the value of the do_it
- * function pointer from the NULL ops pointer.
- */
-static ssize_t null_read_write(struct file *f, const char __user *buf,
- size_t count, loff_t *off)
-{
- f->private_data = ops->do_it;
-
- return count;
-}
-
-/*
- * Writing to the 'null_read' file calls the do_it member of ops,
- * which results in reading a function pointer from NULL and then
- * calling it.
+ * Reading the 'read' file just reads the value of the do_it function
+ * pointer from the NULL ops pointer.
*/
-static ssize_t null_call_write(struct file *f, const char __user *buf,
- size_t count, loff_t *off)
+static int null_read(char *buffer, struct kernel_param *kp)
{
- return ops->do_it();
+ return sprintf(buffer, "%p\n", (void *)ops->do_it);
}
-/* Handles to the files we will create */
-static struct dentry *nullderef_root, *read_de, *call_de;
-
-/* Structs telling the kernel how to handle writes to our files. */
-static const struct file_operations null_read_fops = {
- .write = null_read_write,
-};
-static const struct file_operations null_call_fops = {
- .write = null_call_write,
-};
-
-/*
- * To clean up our module, we just remove the two files and the
- * directory.
- */
-static void cleanup_debugfs(void) {
- if (read_de) debugfs_remove(read_de);
- if (call_de) debugfs_remove(call_de);
- if (nullderef_root) debugfs_remove(nullderef_root);
-}
+module_param_call(read, NULL, null_read, NULL, 0444);
/*
- * This function is called at module load time, and creates the
- * directory in debugfs and the two files.
+ * Reading the 'call' file calls the do_it member of ops, which
+ * results in reading a function pointer from NULL and then calling
+ * it.
*/
-static int __init nullderef_init(void)
+static int null_call(char *buffer, struct kernel_param *kp)
{
- /* Create the directory our files will live in. */
- nullderef_root = debugfs_create_dir("nullderef", NULL);
- if (!nullderef_root) {
- printk(KERN_ERR "nullderef: creating root dir failed\n");
- return -ENODEV;
- }
-
- /*
- * Create the null_read and null_call files. Use the fops
- * structs defined above so that the kernel knows how to
- * handle writes to them, and set the permissions to be
- * writable by anyone.
- */
- read_de = debugfs_create_file("null_read", 0222, nullderef_root,
- NULL, &null_read_fops);
- call_de = debugfs_create_file("null_call", 0222, nullderef_root,
- NULL, &null_call_fops);
-
- if (!read_de || !call_de)
- goto out_err;
-
- return 0;
-out_err:
- cleanup_debugfs();
-
- return -ENODEV;
+ ssize_t ret = ops->do_it();
+ return sprintf(buffer, "%zd\n", ret);
}
-/*
- * This function is called on module unload, and cleans up our files.
- */
-static void __exit nullderef_exit(void)
-{
- cleanup_debugfs();
-}
+module_param_call(call, NULL, null_call, NULL, 0444);
-/*
- * These two lines register the functions above to be called on module
- * load/unload.
- */
-module_init(nullderef_init);
-module_exit(nullderef_exit);
MODULE_AUTHOR("Nelson Elhage <nelhage@ksplice.com>");
-MODULE_DESCRIPTION("Provides debugfs files to trigger NULL pointer dereferences.");
+MODULE_DESCRIPTION("Provides sysfs files to trigger NULL pointer dereferences.");
MODULE_LICENSE("GPL");
Please sign in to comment.
Something went wrong with that request. Please try again.