Unable to change the content of memory using crash on a live system

Dheeraj Sangamkar wrote:
> I use crash 4.0-3.9 on a live 2.6.9-55 kernel on
i386/i686 as root.
> 
> crash> ls -l /dev/crash
> crw-------  1 root root 10, 61 Mar  5 21:57 /dev/crash
> crash> ls -l /dev/mem
> crw-r-----  1 root kmem 1, 1 Mar  5 16:49 /dev/mem
> crash> q
> [rootlinux17081 ~]# ls -l /dev/crash /dev/mem
> ls: /dev/crash: No such file or directory
> crw-r-----  1 root kmem 1, 1 Mar  5 16:49 /dev/mem
> [rootlinux17081 ~]# id
> uid=0(root) gid=0(root) 
>
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(whe
el)
> 
> So, the /dev/crash file has write permission for me.
The
> 
> I am attempting to change the content of some memory.
> 
> crash> struct request_queue 0xf7b933f8
> struct request_queue {
>   queue_head = {
> <SNIP>
> ...
> }
> 
> crash> struct -o request_queue | grep in_flight
>   [476] unsigned int in_flight;
> crash> eval 0xf7b933f8 + 476
> hexadecimal: f7b935d4
>     decimal: 4156110292  (-138857004)
>       octal: 36756232724
>      binary: 11110111101110010011010111010100
> crash> rd f7b935d4
> f7b935d4:  fffffff1                              ....
> crash> wr f7b935d4 0
> wr: cannot write to /dev/crash!
> 
> I get the error above even if I change the ownership of
/dev/kmem to 
> root:root
> crash> ls -l /dev/mem
> crw-r-----  1 root root 1, 1 Mar  5 16:49 /dev/mem
> 
> Am I doing something wrong? How do I change the content
of memory on a 
> live system using crash?

With Red Hat x86 and x86_64 kernels, you can't.

I feel your pain...

The crash utility traditionally has had the capability of
writing
to /dev/mem, which can be a very useful, powerful (and
dangerous)
tool for kernel debugging.

But Red Hat deemed the /dev/mem interface as a security
hole,
and restricted the x86 and x86_64 /dev/mem drivers to just
the first 256 pages (1MB) of physical memory, making it
useless
for the crash utility.  They allowed me to create the
/dev/crash
driver to replace it -- but it is effectively read-only
because
the driver has no write file operations handler:

   static struct file_operations crash_fops = {
           owner:          THIS_MODULE,
           llseek:         crash_llseek,
           read:           crash_read,
   };

and so the kernel's vfs_write() returns EINVAL.

Changing the permission of /dev/mem won't help because it
isn't used by the crash utility when /dev/crash exists.

Sorry about that,
   Dave

--
Crash-utility mailing list
Crash-utilityredhat.com
https://www.redhat.com/mailman/listinfo/crash-utility

Unable to change the content of memory using crash on a live system

Thread: Unable to change the content of memory using crash on a live system