search

bazad / memctl

An iOS kernel introspection tool.
https://bazad.github.io/2017/09/live-kernel-introspection-ios/
MIT License
236 stars 29 forks source link

kernel allocate + write failing #3

Closed stek29 closed 6 years ago

stek29 commented 6 years ago 
memctl> vma 0x100
0xfffffff000940000
memctl> ws 0xfffffff000940000 helloworld
error: kernel address 0xfffffff000940000 is unmapped
memctl> vm 0xfffffff000940000
          START - END             [ VSIZE ] PRT/MAX SHRMOD DEPTH RESIDENT REFCNT TAG
fffffff000940000-fffffff000941000 [    4K ] rw-/rwx    NUL     0        0      0   0
bazad commented 6 years ago

This is known and expected behavior, although obviously it is not ideal and I'm considering how best to address it.

The issue stems from the fact that mach_vm_allocate only reserves space in the kernel virtual memory map; the actual backing pages are faulted in on first access. Thus, the returned memory range is actually safe to access, despite not (currently) having any backing physical pages. You can verify this by adding the "force" flag to the command to bypass safety checks: rf 0xfffffff000940000 should succeed and after that safe accesses should work as expected.

In the future I may prefault memory allocated with mach_vm_allocate by default to avoid this issue.

stek29 commented 6 years ago

ah, thanks :)