Re: Panic writing kernel memory?
Re: Panic writing kernel memory?
- Subject: Re: Panic writing kernel memory?
- From: Brian Doyle <email@hidden>
- Date: Thu, 24 Jan 2008 03:20:29 -0800
Hi Mike,
Thanks for your reply!
As you've correctly surmised, I'm trying to patch the vtable of a
class that isn't mine and that I can't inherit from (IODTNVRAM/
AppleEFINVRAM). My intent is to be notified when setProperty() is
called on IODeviceTree:/options so that I can do some processing when
the boot device changes.
My code is written to just call through to the original pointer. The
published headers have some "arcane evil code" in the form of
OSMetaClassBase::_ptmf2ptf() that indicates a heavy reliance on the
GCC 2.95 ABI (also -fapple-kext) so I feel confident that implementing
this approach will work just fine provided I can find a way to write
to the AppleEFINVRAM kext vtable.
I could accomplish the same thing by polling iodt:/options but that
is rather crufty, not nearly as reliable, and goes against my better
nature ;-)
So... my original question still stands:
Can anyone point out specific technical mechanics that will enable me
to perform the write? If so I would greatly appreciate it.
Thanks again,
Brian
PS - Ultimately I suppose I'll have to resort to polling if no one can
offer a better solution. Bummer.
On Jan 24, 2008, at 1:34 AM, Michael Smith wrote:
On Jan 24, 2008, at 1:09 AM, Brian Doyle wrote:
I've written a kext which, quite simply, does this:
typedef void (*CFunctionPointer)(void);
CFunctionPointer *foo = <some location containing a function
pointer>;
CFunctionPointer bar = <&some function>;
CFunctionPointer baz;
baz = *foo; // read ok
*foo = bar; // write panic
The panic log states "Memory access exception (1,0,0)".
I'm guessing the memory I'm trying to write to has VM_PROT_WRITE
disabled, but I'm not sure how to verify that (vm_region() on the
address foo causes a different panic, namely a null-pointer
dereference crash down in vm_map_lookup_entry()).
I've noticed that when I'm two-machine debugging with gdb I can set
the value *foo directly from the gdb command line with no problem.
This is all well-and-good, but I need to be able to replace this
function pointer from my kext. I gave vm_protect() a try but that
crashed too, in the same place as vm_region().
Can anyone help? I would certainly appreciate it!
If it's your function pointer, you should be able to manipulate it
just fine.
If it's not your function pointer, you should leave it alone. The
way you wrote the above, it appears likely that you are trying to
patch some part of the kernel.
Don't do that.
= Mike
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden