pyvmidbg icon indicating copy to clipboard operation
pyvmidbg copied to clipboard

Published 20 hours ago verified publisher icon Wenzel

Inaccurate readings randomize_layout [Linux Kernel]

Open pwnosaur opened this issue 4 years ago • 0 comments

The current implementation for the Linux kernel debugging lacks support for kernel 4.13+ because of the randomize_layout security feature which randomizes the location of struct members during the kernel compilation process, thus the offset of each element may vary resulting in inaccurate readings.

More information here about the feature https://lwn.net/Articles/722293/

note the randomized_struct_fields_start used in

Kernel 4.13+

struct task_struct 
{
#ifdef CONFIG_THREAD_INFO_IN_TASK
	struct thread_info		thread_info;
#endif
	volatile long			state;
	randomized_struct_fields_start
	void				*stack;
...

which was not yet implemented in previous kernel versions

Kernel 4.12-

struct task_struct {
#ifdef CONFIG_THREAD_INFO_IN_TASK
	struct thread_info		thread_info;
#endif
	volatile long			state;
	void				*stack;

pwnosaur avatar Sep 03 '20 16:09 pwnosaur