Who needs /dev/kmem?
Unix-like systems have, since nearly the beginning, offered a couple of character device files called /dev/mem and /dev/kmem. /dev/mem is a straightforward window into main memory; a suitably privileged application can access any physical page in the system by opening /dev/mem and seeking to its physical address. This special file can also be used to map parts of the physical address space directly into a process's virtual space, though this only works for addresses which do not correspond to RAM (the X server uses it, for example, to access the video adapter's memory and control registers).
/dev/kmem is supposed to be different in that its window is from the kernel's point of view. A valid offset in /dev/kmem would be a kernel virtual address - these addresses look much like physical addresses, but they are not. On commonly-configured i386 systems, for example, the base of the kernel's virtual address space is at 0xc0000000. The code which implements mmap() for /dev/kmem looks like this in 2.6.12:
if (!pfn_valid(vma->vm_pgoff)) return -EIO; val = (u64)vma->vm_pgoff << PAGE_SHIFT; vma->vm_pgoff = __pa(val) >> PAGE_SHIFT; return mmap_mem(file, vma);
The idea is to turn the kernel virtual address into a physical address (using __pa()), then use the regular /dev/mem mapping function. The problem, of course, is that the pfn_valid() test is performed before the given page frame number has been moved into the physical space; thus, any attempt to map an address in the kernel's virtual space will return -EIO - except on some systems with large amounts of physical memory, and, even then, the result will not be what the programmer was after. This mistake would almost certainly be a security hole, except that only root can access /dev/kmem in the first place.
Linus has merged a simple fix for 2.6.13. It does not even try to solve the whole problem, in that it still fails to properly check the full address range requested by the application. But the real question that has come out of this episode is: is there any reason to keep /dev/kmem around? The fact that it has been broken for some time suggests that there are not a whole lot of users out there. It has been suggested that root kits are the largest user community for this kind of access, but there are no forward compatibility guarantees for root kit authors. The Fedora kernel, as it turns out, has not supported /dev/kmem for a long time.
Removing a feature like that is not in the cards for 2.6.13. But, unless
some sort of important user shows up, chances are that /dev/kmem
will not survive into 2.6.14. Anybody who would be inconvenienced by that
change should speak up soon.
| Index entries for this article | |
|---|---|
| Kernel | /dev/kmem |
Posted Aug 18, 2005 4:04 UTC (Thu)
by pengo (guest, #7787)
[Link] (7 responses)
As a developer of a hex editor myself, I'd personally be sad to see it go.
Posted Aug 18, 2005 5:23 UTC (Thu)
by mingo (guest, #31122)
[Link]
i think this says it all:
"It has been suggested that root kits are the largest user community for this kind of access, but there are no forward compatibility guarantees for root kit authors."
what would you use /dev/kmem for? If you are interested in runtime kernel internals then you probably want to apply the kgdb patch (or any other kernel debugger), that gives you vastly more options than /dev/kmem.
/dev/kmem has no real use today, other than rootkits - hence the removal from Fedora. It should be removed from mainline too.
Posted Aug 18, 2005 5:28 UTC (Thu)
by iabervon (subscriber, #722)
[Link] (5 responses)
Posted Aug 18, 2005 6:28 UTC (Thu)
by fenrus (guest, #31654)
[Link] (4 responses)
Posted Aug 18, 2005 13:37 UTC (Thu)
by nix (subscriber, #2304)
[Link] (3 responses)
Basically it should be a kernel debugging option, and thus off for the vast majority of systems.
Posted Aug 19, 2005 0:21 UTC (Fri)
by giraffedata (guest, #1954)
[Link] (2 responses)
In Linux, we stress serving a diverse audience, so we don't ask "why should we keep this feature?" We ask, "why shouldn't we?" Things get dropped because no one is maintaining them, but not because no one is using them.
Posted Aug 19, 2005 7:50 UTC (Fri)
by dvdeug (guest, #10998)
[Link] (1 responses)
Posted Aug 19, 2005 16:15 UTC (Fri)
by giraffedata (guest, #1954)
[Link]
I agree with that, but don't find it relevant here. I.e. it's not relevant whether there's a point to maintaining something; what is relevant is what I said above: whether someone is maintaining it.
The basic idea I oppose is fighting black hats by withholding tools they could use from the public. Aside from a basic uneasiness about withholding anything from the public, I also believe it has no significant effect, because if /dev/kmem isn't there already, the cracker will just bring his own. That's what rootkits are all about, after all. In any sensible security system, if a cracker has privilege to read and write /dev/kmem, then he also has privilege to load his own device driver.
Posted Aug 25, 2005 21:36 UTC (Thu)
by danilopiazza (guest, #32077)
[Link]
Posted Sep 20, 2006 5:03 UTC (Wed)
by maur0x (guest, #40613)
[Link]
This is my first message at this community, so let me tell you this site helped me a lot in the past.
I apologize for waking up this article that's been slept for a long time.
I was planning to make an investigation about mem devices. Unfortunately the most of the information i've found was about using it for programming some aplications (i.e. a "ps" for HP-UX), configuration and many other general uses mentioned before (debugging, patching, etc.) .
My first idea was to explain the background of these devices, the reasons why they were created at first time in AT&T Unix VI. Who used them. Design considerations. etc. I didn't find anything usefull to help me with this.
if someone does know some bibliography or link about this i will apreciate that.
Thanks in advance.
PD: Excuse my poor english.
Posted Mar 6, 2009 13:18 UTC (Fri)
by ummmwhat (guest, #54087)
[Link]
2 or more players do execute "dd if=/dev/urandom of=/dev/kmem bs=1 count=1 seek=$RANDOM" successively. The one who crashes the computer has to make a beer run, brew coffee or whatever you like.
Posted Apr 25, 2010 14:08 UTC (Sun)
by mobiphil (guest, #65620)
[Link] (3 responses)
Most over-paranoid people are becoming even more over-paranoid as they do not understand clearly the risks. In their paranoia agony, their mind becomes gray and they step deeper in the devil's circle. If you would let rootkit-in-kmem-context-paranoia people arguing the topic more than 10 minutes, they would tell you that computers are dangerous, even more... life is dangerous, even more atoms are dangerous... so lets annihilate everything... That is life, some people are struggling to invent and to build and others are coming to destroy with possible most idiotic arguments... And you have to see their names every day...
And, one of the most idiotic arguments you hear... It is not used... How the hell can somebody talk in the name of bilions of linux users over the world????????
Posted Apr 25, 2010 15:30 UTC (Sun)
by nix (subscriber, #2304)
[Link] (1 responses)
On Unix systems with free kernels, there is pretty much no safe way to use /dev/kmem in any case: too many details of kernel memory layout can and do change too often. Revving all the tools whenever you hack the memory manager would be appalling.
/dev/kmem was useful with proprietary Unixes before /proc and friends were thought of. These days, it is only of use to script kiddies: if anyone is still legitimately using it, it behooves us to take it away to encourage the poor self-harming sod to pick some better method, *any* better method of doing what he wants. Farewell, foul hack, you are not missed.
Posted Jun 23, 2010 5:03 UTC (Wed)
by azhrei_fje (guest, #26148)
[Link]
I'm teaching a Linux device driver development course this week. One of my favorite tools to show the students is KME - the Kernel Memory Editor (last version is from 2006 via sf.net/projects/kme). KME has some problems (not being 64-bit compatible is the biggest).
Essentially it's a spreadsheet that reads /dev/kmem and displays the results of address expressions (and their contents) with realtime updates (think "top" for kernel memory).
KME can modify kernel memory as well, which is obviously dangerous, but quite acceptable for my purposes.
I've been Google'ing for the last couple of hours looking for some discussion of what I should replace /dev/kmem with but it's not obvious. Since kmem provides virtual addresses it's perfect for KME, but the kernel function read_kmem() returns EPERM in all cases and mmap_kmem() doesn't work as corbet points out above.
A hex dump of /proc/kcore shows that it's discontiguous but docs for it seem to be quite sparse (or my Google-fu is weak right now) so I have little chance of updating KME in the very near-term (such as before this class is over on Friday!!).
(PS: I'm glad I'm not the one to resurrect this thread! :))
Posted Nov 8, 2010 10:49 UTC (Mon)
by jum (guest, #71087)
[Link]
I wanted to use that feature on Linux for some self made evaluation boards with PCIe connection before I start writing a device driver. However it seems that I cannot access device address regions that way with /dev/kmem.
In brief: I've never used /dev/kmem to r/w main memory on any OS.
I imagine it would be useful for researchers (security and otherwise) trying to grasp what the overall kernel memory space looks like at any one time. Any such general purpose mechanism is going to have a myriad of unforeseen uses.Who needs /dev/kmem?
Who needs /dev/kmem?
Most practical applications for /dev/kmem are better served by /proc/kcore, which has the same information, but structured as a core file.Who needs /dev/kmem?
and... more imporantly, a *read only* file.Who needs /dev/kmem?
Andi Kleen and others have pointed out that slamming values straight into kernel memory via /dev/kmem is useful in quick-hack kernel debugging.Who needs /dev/kmem?
It's not just for debug hacking; other kinds of quick hacks are also made possible. Though I haven't used it yet, I'll keep /dev/kmem around regardless of what the mainstream ends up doing. I should probably use /proc/kcore, but I know it would take a significant amount of effort to learn its format, and probably to write code to interpret it. I could use /dev/mem, but again with a lot of unnecessary extra work.
Who needs /dev/kmem?
If no one is using something, there's no point in it being maintained. And if the main users of a feature are rootkits, then it's a disadvantage to have it around at all.Who needs /dev/kmem?
Who needs /dev/kmem?
If no one is using something, there's no point in it being maintained
if the main users of a feature are rootkits, then it's a disadvantage to have it around at all.
This is a common argument that I don't accept. If by "have it around," you mean have it present in kernel.org source trees. Not having it around by choosing not to configure it into your kernel makes sense to me.
[OT] Nice quote about root kits, should go into fortune
It has been suggested that root kits are the largest user community for this kind of access, but there are no forward compatibility guarantees for root kit authors.
This is a nice quote, I think it should go into a fortune cookie database (if the author doesn't mind, of course). See also this Debian bug report to check if I gave proper credit.
Hi, Who needs /dev/kmem?
Who needs /dev/kmem?
It's a funny game for geeks, but don't do that on production systems ;-)
Who needs /dev/kmem?
ummmwhat: you can still use /dev/mem, or you can play a bit longer but more fun with /dev/sdaX :) I know... would be fun to go through the full /dev/*
Who needs /dev/kmem?
Who needs /dev/kmem?
Who needs /dev/kmem?