功能

https://en.wikipedia.org/wiki/Supervisor_Mode_Access_Prevention

SMEP can be used to prevent supervisor mode from unintentionally executing user-space code. SMAP extends this protection to reads and writes.[2]

CR4

https://en.wikipedia.org/wiki/Control_register#CR4

效果

无法在内核态执行一个用户态地址

cat /proc/cpuinfo|grep -o -E  "smep|smap"  |xargs
smep smap 

• hackme.c
• exp.c
• crash

关闭

static inline void x_native_write_cr4(unsigned long val)
{
    asm volatile("mov %0,%%cr4": : "r" (val), "m" (__force_order));
}

/* Methods */
void unset_smep_smap(void)
{
    unsigned long cr4;

    cr4 = native_read_cr4();
    pr_info("read cr4: %ld\\n", cr4);
    cr4 &= ~(X86_CR4_SMEP);
    cr4 &= ~(X86_CR4_SMAP);

    pr_info("write cr4: %ld\\n", cr4);
    x_native_write_cr4(cr4);
    pr_info("read cr4: %ld\\n", native_read_cr4());
}

为什么不用 native_write_cr4 ?

kernel will attempt to 'pin' sensitive bits in CR4 and CR0 to avoid them getting disabled