RE: [Crash-utility] Unable to change the content of memory usingcrash on a live system

-----Original Message----- From: crash-utility-bounces(a)redhat.com [mailto:crash-utility-bounces@redhat.com] On Behalf Of Dave Anderson Sent: Thursday, March 06, 2008 9:37 AM To: Discussion list for crash utility usage,maintenance and development Subject: Re: [Crash-utility] Unable to change the content of memory usingcrash on a live system Dheeraj Sangamkar wrote: > I use crash 4.0-3.9 on a live 2.6.9-55 kernel on i386/i686 as root. > > crash> ls -l /dev/crash > crw------- 1 root root 10, 61 Mar 5 21:57 /dev/crash > crash> ls -l /dev/mem > crw-r----- 1 root kmem 1, 1 Mar 5 16:49 /dev/mem > crash> q > [root@linux17081 ~]# ls -l /dev/crash /dev/mem > ls: /dev/crash: No such file or directory > crw-r----- 1 root kmem 1, 1 Mar 5 16:49 /dev/mem > [root@linux17081 ~]# id > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > > So, the /dev/crash file has write permission for me. The > > I am attempting to change the content of some memory. > > crash> struct request_queue 0xf7b933f8 > struct request_queue { > queue_head = { > <SNIP> > ... > } > > crash> struct -o request_queue | grep in_flight > [476] unsigned int in_flight; > crash> eval 0xf7b933f8 + 476 > hexadecimal: f7b935d4 > decimal: 4156110292 (-138857004) > octal: 36756232724 > binary: 11110111101110010011010111010100 > crash> rd f7b935d4 > f7b935d4: fffffff1 .... > crash> wr f7b935d4 0 > wr: cannot write to /dev/crash! > > I get the error above even if I change the ownership of /dev/kmem to > root:root > crash> ls -l /dev/mem > crw-r----- 1 root root 1, 1 Mar 5 16:49 /dev/mem > > Am I doing something wrong? How do I change the content of memory on a > live system using crash? With Red Hat x86 and x86_64 kernels, you can't. I feel your pain... The crash utility traditionally has had the capability of writing to /dev/mem, which can be a very useful, powerful (and dangerous) tool for kernel debugging. But Red Hat deemed the /dev/mem interface as a security hole, and restricted the x86 and x86_64 /dev/mem drivers to just the first 256 pages (1MB) of physical memory, making it useless for the crash utility. They allowed me to create the /dev/crash driver to replace it -- but it is effectively read-only because the driver has no write file operations handler: static struct file_operations crash_fops = { owner: THIS_MODULE, llseek: crash_llseek, read: crash_read, }; and so the kernel's vfs_write() returns EINVAL. Changing the permission of /dev/mem won't help because it isn't used by the crash utility when /dev/crash exists. Sorry about that, Dave -- Crash-utility mailing list Crash-utility(a)redhat.com https://www.redhat.com/mailman/listinfo/crash-utility