These two fundamental features are written in binary hacker's fashion, and are frequently broken on different Linux major version, and different architectures. So it's significantly important to find an alternative way to replace __schedule function.
There are two major pitfalls we may encounter when replacing __schedule, and they are why stack-pivot and ROP comes for.
After unloading, the module's .text section is gone. If a task wakes up after unloading, it steps on the module's .text section and panics.
The top and bottom halves of __schedule may assume __schedule to have different stack layout and size.
Apart from stack-pivot + ROP, another potential solution to these problems might be,
When unloading the module,
stop_machine, and restore __schedule's prologue to nop, and add sleeping tasks to sleep_list
traverse sleep_list, and set their need_resched bit, and wakes them up
wait until all tasks in sleep_list to finish one round of schedule, and enters vmlinux's schedule
In this way, springboard_search, stack guard, stack-pivot can all be eliminated.
These two fundamental features are written in binary hacker's fashion, and are frequently broken on different Linux major version, and different architectures. So it's significantly important to find an alternative way to replace
__schedulefunction.There are two major pitfalls we may encounter when replacing
__schedule, and they are whystack-pivotandROPcomes for..textsection is gone. If a task wakes up after unloading, it steps on the module's.textsection and panics.__schedulemay assume__scheduleto have different stack layout and size.Apart from
stack-pivot+ROP, another potential solution to these problems might be, When unloading the module,nop, and add sleeping tasks to sleep_listIn this way, springboard_search, stack guard, stack-pivot can all be eliminated.