kernel tty_struct

kernel tty_struct exp

文章目录

• kernel tty_struct exp
• • tty_struct
  • • ptmx
    • 定义
    • `tty->ops`
    • 利用
    • write 执行流
  • 利用
  • • Fake_ops
    • fake_stack
    • kernel rop
    • exp

tty_struct

Linux下一个特殊的驱动文件，是默认集成在linux中的， 代码在driver/tty文件夹。主要文件在 pty.c，

ptmx

可以看到其对应的 file_operations结构，定义为ptmx_fops，

然后可以看到对应的__init函数，驱动载入的初始化代码在 unix98_pty_init函数，

在此函数最后， 设置了文件 "/dev/ptmx"，

在这里也可以看到我们的ptmx_fops.open被设置为了 ptmx_open函数，

定义

我们的主角: struct tty_struct结构体定义在 include/linux/tty.h，

其实唯一需要注意的是第四位的ops: const struct tty_operations *ops;，

struct tty_struct {int     magic;struct kref kref;struct device *dev;struct tty_driver *driver;const struct tty_operations *ops;int index;/* Protects ldisc changes: Lock tty not pty */struct ld_semaphore ldisc_sem;struct tty_ldisc *ldisc;struct mutex atomic_write_lock;struct mutex legacy_mutex;struct mutex throttle_mutex;struct rw_semaphore termios_rwsem;struct mutex winsize_mutex;spinlock_t ctrl_lock;spinlock_t flow_lock;/* Termios values are protected by the termios rwsem */struct ktermios termios, termios_locked;struct termiox *termiox;        /* May be NULL for unsupported */char name[64];struct pid *pgrp;               /* Protected by ctrl lock */struct pid *session;unsigned long flags;int count;struct winsize winsize;         /* winsize_mutex */unsigned long stopped:1,        /* flow_lock */flow_stopped:1,unused:BITS_PER_LONG - 2;int hw_stopped;unsigned long ctrl_status:8,    /* ctrl_lock */packet:1,unused_ctrl:BITS_PER_LONG - 9;unsigned int receive_room;      /* Bytes free for queue */int flow_change;struct tty_struct *link;struct fasync_struct *fasync;int alt_speed;          /* For magic substitution of 38400 bps */wait_queue_head_t write_wait;wait_queue_head_t read_wait;struct work_struct hangup_work;void *disc_data;void *driver_data;struct list_head tty_files;#define N_TTY_BUF_SIZE 4096int closing;unsigned char *write_buf;int write_cnt;/* If the tty has a pending do_SAK, queue it here - akpm */struct work_struct SAK_work;struct tty_port *port;
};

这个tty_operations定义在include/linux/tty_driver.h, 可以看到 大量的hook位。

struct tty_operations {struct tty_struct * (*lookup)(struct tty_driver *driver,struct inode *inode, int idx);int  (*install)(struct tty_driver *driver, struct tty_struct *tty);void (*remove)(struct tty_driver *driver, struct tty_struct *tty);int  (*open)(struct tty_struct * tty, struct file * filp);void (*close)(struct tty_struct * tty, struct file * filp);void (*shutdown)(struct tty_struct *tty);void (*cleanup)(struct tty_struct *tty);int  (*write)(struct tty_struct * tty,const unsigned char *buf, int count);int  (*put_char)(struct tty_struct *tty, unsigned char ch);void (*flush_chars)(struct tty_struct *tty);int  (*write_room)(struct tty_struct *tty);int  (*chars_in_buffer)

本文来自互联网用户投稿，文章观点仅代表作者本人，不代表本站立场，不承担相关法律责任。如若转载，请注明出处。 如若内容造成侵权/违法违规/事实不符，请点击【内容举报】进行投诉反馈！