Dirty_COW_ex
8.1. A file’s content is a string "Hello World". When this file is mapped to memory (the entire file) using mmap(), and the memory address is stored in a variable map. Please describe what the following printf() statement prints out.
char *addr = (char *)map;
printf("%s\n", map +6);
World
8.2. The fork() system call creates a new process from a parent process. The new process, i.e., the child process, will have a copy of the parent process’s memory. Typically, the memory copy is not performed when the child process is created. Instead, it is delayed. Please explain when the memory copy will occur.
当子进程首次写入内存时,将发生内存复制。因为父级和子级有独立的内存空间,所以拷贝发生在写入时,或者我们现在所知道的COW。
8.3. When a process maps a file into memory using the MAP PRIVATE mode, the memory mapping is depicted in Figure 1. (1) Please describe what is going to happen when this process writes data to address 0x5100. (2) The Dirty COW race condition occurs inside the write() system call. Please explain exactly where the problem is. (3) How can this race condition vulnerability be exploited?
8.4. The permission of the file /home/seed/zzz is readable and writable to the user seed. Does the following code (executed by seed) modify the content of /home/seed/zzz?
int f=open("/home/seed/zzz", O_RDWR);
fstat(f, &st);
// Map the entire file to memory
map=mmap(NULL, st.st_size, PROT_READ|PROT_WRITE,
MAP_PRIVATE, f, 0);
memcpy(map, "new content", strlen("new content"));
不会。因为文件是在私有模式下映射到内存的,所以在memcpy上,会生成内存映射的新副本。
8.5. In the Dirty COW attack, can we run two processes, instead of two threads?
不,当两个进程将同一个文件映射到内存时,它们将拥有各自的副本。在其中一个上运行madvise,在另一个上写入时不会触发副本,因此它必须是调用write()和madvise()的同一进程。
8.6. In this chapter, we show that by exploiting the Dirty COW race condition, we can modify the /etc/passwd file and gain the root privilege. Please name two other files that can be attacked to gain the root privilege.
/etc/shadow
/etc/sudoers - 此文件定义可以运行sudo命令的用户列表。一旦用户被添加到sudoers列表中,用户就可以运行$ sudo su -
to get a root shell.
8.7. If we use the MAP PRIVATE to map a read-only file to the memory, and then use memcpy() to write to it. Will this cause copy-on-write?
否。MAP_PRIVATE导致只读文件映射到只读内存块。我们不能使用memcpy()对它进行写入,它会抛出一个错误。我们应该改用write()函数。
8.8. Why cannot we implement copy-on-write in memcpy(), so we can use it to write to a private copy of the mapped memory?
原文地址:https://www.cnblogs.com/tanwlanyue/p/15024039.html
- 深度学习GPU环境Ubuntu16.04+GTX1080+CUDA9+cuDNN7+TensorFlow1.6环境配置
- python接口自动化8-参数化
- HDU 2037 今年暑假不AC(贪心,区间更新,板子题)
- “玲珑杯”ACM比赛 Round #13 题解&源码
- 回溯算法入门及经典案例剖析(初学者必备宝典)
- Selenium2+python自动化66-装饰器之运行失败截图
- 51Nod 1091 线段的重叠(贪心+区间相关,板子题)
- 51Nod 1016 水仙花数 V2(组合数学,枚举打表法)
- Selenium2+python自动化67-用例失败自动截图
- Codeforces Round #404 (Div. 2)(A.水,暴力,B,排序,贪心)
- hihoCoder #1053 : 居民迁移(贪心,二分搜索,google在线技术笔试模拟)
- php开发文章发布示例(正则表达式实例开发)
- Codeforces Round #408 (Div. 2)(A.水,B,模拟)
- php实现文件上传
- JavaScript 教程
- JavaScript 编辑工具
- JavaScript 与HTML
- JavaScript 与Java
- JavaScript 数据结构
- JavaScript 基本数据类型
- JavaScript 特殊数据类型
- JavaScript 运算符
- JavaScript typeof 运算符
- JavaScript 表达式
- JavaScript 类型转换
- JavaScript 基本语法
- JavaScript 注释
- Javascript 基本处理流程
- Javascript 选择结构
- Javascript if 语句
- Javascript if 语句的嵌套
- Javascript switch 语句
- Javascript 循环结构
- Javascript 循环结构实例
- Javascript 跳转语句
- Javascript 控制语句总结
- Javascript 函数介绍
- Javascript 函数的定义
- Javascript 函数调用
- Javascript 几种特殊的函数
- JavaScript 内置函数简介
- Javascript eval() 函数
- Javascript isFinite() 函数
- Javascript isNaN() 函数
- parseInt() 与 parseFloat()
- escape() 与 unescape()
- Javascript 字符串介绍
- Javascript length属性
- javascript 字符串函数
- Javascript 日期对象简介
- Javascript 日期对象用途
- Date 对象属性和方法
- Javascript 数组是什么
- Javascript 创建数组
- Javascript 数组赋值与取值
- Javascript 数组属性和方法
- TKE集群,一次磁盘挂载问题处理
- Linux Load Average详解
- 5. Bean Validation声明式验证四大级别:字段、属性、容器元素、类
- 使用Docker镜像
- Qt音视频开发39-人脸识别在线版
- 前端学数据结构与算法(九):常见五种排序算法的实现及其优缺点
- 用最容易的方式学会单链表(Python实现)
- 突击并发编程JUC系列-万字长文解密 JUC 面试题
- 《剑指Offer》-- 题目一:找出数组中重复的数字(Python多种方法实现)
- 用最复杂的方式学会数组(Python实现动态数组)
- 一起来刷《剑指Offer》——不修改数组找出重复的数字(思路及Python实现)
- 第一章 Go介绍
- 第二章 Go变量
- 揭秘 @available
- 第三章 Go常量、枚举、数学运算