Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Access permissions of /dev/mem

I have a set of questions regarding /dev/mem:

  1. Many articles on the net, seem to refer /dev/mem as the gateway to "Physical RAM". But if I am right, /dev/mem is the gateway to the "Physical Address Space" of the processor which might include control registers of many HW peripherals and not just the RAM? Please, correct me if I am wrong!

  2. In order to prevent attackers from misusing /dev/mem and altering kernel memory, a flag CONFIG_STRICT_DEVMEM needs to be enabled which will prevent user apps from accessing physical address space beyond 1MB. I checked the config file on my PC (Ubuntu) and found that CONFIG_STRICT_DEVMEM = y. And I wrote a program which tries to read to physical memory beyond 1 MB and I was able to read! No segmentation fault or any Operation NOT Permitted error. How is this possible?

My program roughly looks like this:

fd = open ( "/dev/mem", O_RDWR);
ptr = (int*) mmap(0, MAP_SIZE, PROT_READ, fd, myAddress & (~MAP_MASK));
printf("%d", *ptr);
like image 421
Pavan Manjunath Avatar asked May 26 '11 07:05

Pavan Manjunath


2 Answers

  1. Yes, you're right, /dev/mem allows you to map any physical address, including non-RAM memory mapped IO. This can can be useful for a quick and dirty hack to access some hardware device without writing a kernel driver.

  2. CONFIG_STRICT_DEVMEM makes the kernel check addresses in /dev/mem with devmem_is_allowed() in arch/x86/mm/init.c, and the comment there explains:

    * On x86, access has to be given to the first megabyte of ram because that area
    * contains bios code and data regions used by X and dosemu and similar apps.
    * Access has to be given to non-kernel-ram areas as well, these contain the PCI
    * mmio resources as well as potential bios/acpi data regions.
    

    your address 0xFFFF0000 is quite likely to be non-RAM, since BIOSes typically put IO memory just below 4GB, so that's why you're able to map it even with STRICT_DEVMEM.

like image 165
Roland Avatar answered Oct 17 '22 00:10

Roland


What does the follow yield:

cat /dev/mem | wc

I get:

cat: /dev/mem: Operation not permitted
   1908   11791 1048576

So for me it does stop at 1MB.

Note that cat uses open, not mmap so its not an identical test.

Are you sure you're reading beyond 1MB?

like image 28
linuts Avatar answered Oct 17 '22 01:10

linuts