ifconfig ethtool ip 实现流程 ----也就是一个ioctl
今天 顺便看了一下 ifconfig ip ethtool 工具的strace 结果 ;
发现其实就是 创建一个 socket-fd 然后 指定接口名, 然后设置 /获取 相关属性
也就是通过 ioctl netlink 接口 获取设置信息
看下网络设备结构:
目前ioctl 源码在:fs/ioctl.c文件中
SYSCALL_DEFINE3(ioctl,
Follows an explanation of the patch that introduced unlocked_ioctl and compat_ioctl into 2.6.11. The removal of the ioctl field happened a lot later, in 2.6.36. Explanation: When ioctl was executed, it took the Big Kernel Lock (BKL), so nothing else could execute at the same time. This is very bad on a multiprocessor machine, so there was a big effort to get rid of the BKL. First, unlocked_ioctl was introduced. It lets each driver writer choose what lock to use instead. This can be difficult, so there was a period of transition during which old drivers still worked (using ioctl) but new drivers could use the improved interface (unlocked_ioctl). Eventually all drivers were converted and ioctl could be removed. compat_ioctl is actually unrelated, even though it was added at the same time. Its purpose is to allow 32-bit userland programs to make ioctl calls on a 64-bit kernel. The meaning of the last argument to ioctl depends on the driver, so there is no way to do a driver-independent conversion
ioctl : (在2.6.36后,去除了该字段),应用程序进入内核持有giant lock/big-lock/kernel-lock(大内核锁),同一时刻只有一个应用程序进入kernel space
unlocked_ioctl : 64为应用程序调用的,非大内核锁
compat_ioctl : 32为应用程序调用的,非大内核锁
引用计数
引用计数:内核的一种机制。为了减少内核内存泄漏和防止UAF,大多数Linux的数据结构中有ref counter,为atomic_t类型(int)。通过如下原子操作对ref counter进行操作:
atomic_inc()
atomic_add()
atomic_dec_and_test() // 减去1并测试它是否等于零
漏洞:这些操作都要由开发人员手动调用来完成。当一个对象被另一个对象引用时,增加其refcounter;删除此引用时,减少refcounter。当refcounter为零时,通常会释放该对象。如果处理不当导致不平衡,会引发以下漏洞。
refcounter减少两次:UAF。
refcounter增加两次:内存泄漏或整数溢出导致UAF。
Linux内核有专门的函数来处理具有通用接口的refcounter(如kref,kobject),但没有得到系统的使用。通常来说,struct对象有自己的refcounter处理函数,*_get()类函数负责引用,*_put()类函数负责释放(不能完全根据名字来判断功能,还需要看代码,例如skb_put()不减少任何refcounter)。示例如下:
struct sock: sock_hold(), sock_put()
struct file: fget(), fput()
struct files_struct: get_files_struct(), put_files_struct()
