8.1. A file’s content is a string "Hello World". When this file is mapped to memory (the entire file) using mmap(), and the memory address is stored in a variable map. Please describe what the following printf() statement prints out.
char *addr = (char *)map;
printf("%s\n", map +6);
World
8.2. The fork() system call creates a new process from a parent process. The new process, i.e., the child process, will have a copy of the parent process’s memory. Typically, the memory copy is not performed when the child process is created. Instead, it is delayed. Please explain when the memory copy will occur.
当子进程首次写入内存时,将发生内存复制。因为父级和子级有独立的内存空间,所以拷贝发生在写入时,或者我们现在所知道的COW。
8.3. When a process maps a file into memory using the MAP PRIVATE mode, the memory mapping is depicted in Figure 1. (1) Please describe what is going to happen when this process writes data to address 0x5100. (2) The Dirty COW race condition occurs inside the write() system call. Please explain exactly where the problem is. (3) How can this race condition vulnerability be exploited?
8.4. The permission of the file /home/seed/zzz is readable and writable to the user seed. Does the following code (executed by seed) modify the content of /home/seed/zzz?
int f=open("/home/seed/zzz", O_RDWR);
fstat(f, &st);
// Map the entire file to memory
map=mmap(NULL, st.st_size, PROT_READ|PROT_WRITE,
MAP_PRIVATE, f, 0);
memcpy(map, "new content", strlen("new content"));
不会。因为文件是在私有模式下映射到内存的,所以在memcpy上,会生成内存映射的新副本。
8.5. In the Dirty COW attack, can we run two processes, instead of two threads?
不,当两个进程将同一个文件映射到内存时,它们将拥有各自的副本。在其中一个上运行madvise,在另一个上写入时不会触发副本,因此它必须是调用write()和madvise()的同一进程。
8.6. In this chapter, we show that by exploiting the Dirty COW race condition, we can modify the /etc/passwd file and gain the root privilege. Please name two other files that can be attacked to gain the root privilege.
/etc/shadow
/etc/sudoers - 此文件定义可以运行sudo命令的用户列表。一旦用户被添加到sudoers列表中,用户就可以运行$ sudo su -
to get a root shell.
8.7. If we use the MAP PRIVATE to map a read-only file to the memory, and then use memcpy() to write to it. Will this cause copy-on-write?
否。MAP_PRIVATE导致只读文件映射到只读内存块。我们不能使用memcpy()对它进行写入,它会抛出一个错误。我们应该改用write()函数。
8.8. Why cannot we implement copy-on-write in memcpy(), so we can use it to write to a private copy of the mapped memory?