• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Darwin-kernel Digest, Vol 5, Issue 12
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Darwin-kernel Digest, Vol 5, Issue 12

  • Subject: Re: Darwin-kernel Digest, Vol 5, Issue 12
  • From: David Tay <email@hidden>
  • Date: Thu, 24 Jan 2008 12:26:40 -0800
Brian,
Lots of things have changed since GCC 2.9.x.

Mike is right. Don't do that.

David
On Jan 24, 2008, at 12:07 PM, email@hidden wrote:

Message: 3
Date: Thu, 24 Jan 2008 03:20:29 -0800
From: Brian Doyle <email@hidden>
Subject: Re: Panic writing kernel memory?
To: email@hidden
Message-ID:
<email@hidden">email@hidden>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes

Hi Mike,

Thanks for your reply!

As you've correctly surmised, I'm trying to patch the vtable of a  
class that isn't mine and that I can't inherit from (IODTNVRAM/ 
AppleEFINVRAM).  My intent is to be notified when setProperty() is  
called on IODeviceTree:/options so that I can do some processing when  
the boot device changes.

My code is written to just call through to the original pointer.  The  
published headers have some "arcane evil code" in the form of  
OSMetaClassBase::_ptmf2ptf() that indicates a heavy reliance on the  
GCC 2.95 ABI (also -fapple-kext) so I feel confident that implementing  
this approach will work just fine provided I can find a way to write  
to the AppleEFINVRAM kext vtable.

I could accomplish the same thing by polling iodt:/options but that  
is rather crufty, not nearly as reliable, and goes against my better  
nature ;-)

So... my original question still stands:

Can anyone point out specific technical mechanics that will enable me  
to perform the write?  If so I would greatly appreciate it.

Thanks again,

Brian

PS - Ultimately I suppose I'll have to resort to polling if no one can  
offer a better solution.  Bummer.


On Jan 24, 2008, at 1:34 AM, Michael Smith wrote:


On Jan 24, 2008, at 1:09 AM, Brian Doyle wrote:

I've written a kext which, quite simply, does this:

typedef void (*CFunctionPointer)(void);

CFunctionPointer *foo = <some location containing a function  
pointer>;
CFunctionPointer bar = <&some function>;
CFunctionPointer baz;

baz = *foo; // read ok
*foo = bar; // write panic

The panic log states "Memory access exception (1,0,0)".

I'm guessing the memory I'm trying to write to has VM_PROT_WRITE  
disabled, but I'm not sure how to verify that (vm_region() on the  
address foo causes a different panic, namely a null-pointer  
dereference crash down in vm_map_lookup_entry()).

I've noticed that when I'm two-machine debugging with gdb I can set  
the value *foo directly from the gdb command line with no problem.   
This is all well-and-good, but I need to be able to replace this  
function pointer from my kext.  I gave vm_protect() a try but that  
crashed too, in the same place as vm_region().

Can anyone help?  I would certainly appreciate it!

If it's your function pointer, you should be able to manipulate it  
just fine.

If it's not your function pointer, you should leave it alone.  The  
way you wrote the above, it appears likely that you are trying to  
patch some part of the kernel.

Don't do that.

= Mike




 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Prev by Date: Re: Panic writing kernel memory?
  • Next by Date: Re: Panic writing kernel memory?
  • Previous by thread: Re: Panic writing kernel memory?
  • Next by thread: Point me out
  • Index(es):
    • Date
    • Thread