[openbeos] Re: R5 stuff... (bis)
- From: "Michael Phipps" <mphipps1@xxxxxxxxxxxxxxxx>
- To: openbeos@xxxxxxxxxxxxx
- Date: Mon, 29 Jul 2002 22:04:23 -0400
This is all cool and stuff (props, Francois), but why would this
be on topic, here?
><html><div style='background-color:'><DIV>
><P>François, </P>
><P>wow! this is great news!</P>
><P>keep up the good work</P>
><P>peter<BR><BR></P></DIV>
><DIV></DIV>
><DIV></DIV>>From: François Revol <REVOL@xxxxxxx>
><DIV></DIV>>Reply-To: openbeos@xxxxxxxxxxxxx
><DIV></DIV>>To: openbeos@xxxxxxxxxxxxx
><DIV></DIV>>Subject: [openbeos] R5 stuff... (bis)
><DIV></DIV>>Date: Sun, 28 Jul 2002 16:48:50 +0200 (MEST)
><DIV></DIV>>
><DIV></DIV>>Ok, another exploit and I explain:
><DIV></DIV>>
><DIV></DIV>>
><DIV></DIV>>[revol@patrick /boot/home/devel/mmap]$ ./mmtest2
><DIV></DIV>>libmoreposix:_init()
><DIV></DIV>>__init_mmap_stuff(): mmap_driver_fd = 3
><DIV></DIV>>open(/boot/home/testret, O_RDONLY))
><DIV></DIV>>mmap(00000000, 4096, 00000004, 00000001, 4, 0)
><DIV></DIV>>func = mmap( PROT_READ|PROT_EXEC)
><DIV></DIV>>@func: 0x90, 0xc3, 0x90, 0xc3
><DIV></DIV>>calling !
><DIV></DIV>>returned from func !
><DIV></DIV>>
><DIV></DIV>>libmoreposix:_fini()
><DIV></DIV>>
><DIV></DIV>>---
><DIV></DIV>>
><DIV></DIV>>[revol@patrick /boot/home]$ listarea 1352|grep mmap
><DIV></DIV>>30281 mmap_user a0000000 1000 1000 0 0 0
><DIV></DIV>>
><DIV></DIV>>
><DIV></DIV>>What I did is I hacked the JBQ mmap driver a bit further, and
>even did some
><DIV></DIV>>kernel H4cK1nG :)
><DIV></DIV>>because filedes in drivers are owned by kernel_team, not the
>calling thread...
><DIV></DIV>>
><DIV></DIV>>I'll maybe write a newsletter article explaining in detail,
>this is also
><DIV></DIV>>informative for OBOS btw... (there's sys_read() and user_read()
>involved :)
><DIV></DIV>>
><DIV></DIV>>Of course this one isn't a full blown mmap(), as it doesn't
>deal with
><DIV></DIV>>pages, only whole file :-(
><DIV></DIV>>But it still may help in the mean time.
><DIV></DIV>>
><DIV></DIV>>Also, looking at Plex86 sources (*grin*), it seems Linux can
>mmap() device
><DIV></DIV>>drivers... I think we could include this behaviour too, either
>using ioctl()
><DIV></DIV>>or a new entry in the driver_hook struct... but this is GE
>stuff btw.
><DIV></DIV>>
><DIV></DIV>>François.
><DIV></DIV>>
><DIV></DIV>>
><DIV></DIV></div><br clear=all><hr>Send and receive Hotmail on your mobile
>device: <a href='http://g.msn.com/1HM1ENAU/c152??PI=44314'>Click
>Here</a><br></html>
>
>
- Follow-Ups:
- [openbeos] Re: R5 stuff... (bis)
- From: François Revol
Other related posts:
- » [openbeos] R5 stuff... (bis)
- » [openbeos] Re: R5 stuff... (bis)
- » [openbeos] Re: R5 stuff... (bis)
- » [openbeos] Re: R5 stuff... (bis)
- [openbeos] Re: R5 stuff... (bis)
- From: François Revol