Copy_from_user on 大飞的博客 https://www.dafei.me/tags/copy_from_user/ Recent content in Copy_from_user on 大飞的博客 Hugo zh-cn Fri, 22 May 2026 03:00:00 +0000 从零写OS(三十二):启动 busybox sh —— 用户指针与内核页表的陷阱 https://www.dafei.me/posts/os-32-busybox-init/ Fri, 22 May 2026 03:00:00 +0000 https://www.dafei.me/posts/os-32-busybox-init/ <p>ch31 已经能跑 musl libc 的 hello world 了,这一章目标更高:启动 busybox sh,看到 <code>/ #</code> 提示符。busybox 是个真正的程序,碰到的问题也更真实。</p> <h2 id="准备工作">准备工作</h2> <h3 id="获取静态编译的-busybox">获取静态编译的 busybox</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>wget https://busybox.net/downloads/binaries/1.35.0-x86_64-linux-musl/busybox </span></span><span style="display:flex;"><span>chmod +x busybox </span></span><span style="display:flex;"><span>file busybox </span></span><span style="display:flex;"><span><span style="color:#75715e"># busybox: ELF 64-bit LSB executable, x86-64, statically linked</span> </span></span></code></pre></div><h3 id="更新-ext2-镜像">更新 ext2 镜像</h3> <p>busybox 需要 <code>/bin/sh</code>、<code>/etc/passwd</code>、<code>/etc/group</code>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-makefile" data-lang="makefile"><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">sudo</span> <span style="color:#960050;background-color:#1e0010">mkdir</span> <span style="color:#960050;background-color:#1e0010">-p</span> <span style="color:#960050;background-color:#1e0010">/tmp/ext2mnt/bin</span> </span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">sudo</span> <span style="color:#960050;background-color:#1e0010">mkdir</span> <span style="color:#960050;background-color:#1e0010">-p</span> <span style="color:#960050;background-color:#1e0010">/tmp/ext2mnt/etc</span> </span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">sudo</span> <span style="color:#960050;background-color:#1e0010">cp</span> <span style="color:#66d9ef">$(</span>BUSYBOX<span style="color:#66d9ef">)</span> <span style="color:#960050;background-color:#1e0010">/tmp/ext2mnt/bin/busybox</span> </span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">sudo</span> <span style="color:#960050;background-color:#1e0010">cp</span> <span style="color:#66d9ef">$(</span>BUSYBOX<span style="color:#66d9ef">)</span> <span style="color:#960050;background-color:#1e0010">/tmp/ext2mnt/bin/sh</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">printf &#39;root</span><span style="color:#f92672">:</span>x:0:0:root:/root:/bin/sh\n&#39; | sudo tee /tmp/ext2mnt/etc/passwd &gt; /dev/null </span></span><span style="display:flex;"><span><span style="color:#a6e22e">printf &#39;root</span><span style="color:#f92672">:</span>x:0:\n&#39; | sudo tee /tmp/ext2mnt/etc/group &gt; /dev/null </span></span></code></pre></div><h2 id="bug-1gdt-tss-描述符溢出">Bug 1:GDT TSS 描述符溢出</h2> <p>x86_64 下 TSS 描述符是 <strong>16 字节</strong>(两个 qword),GDT 必须为它预留两个连续槽位。之前只预留了一个,导致 TSS 描述符的高 8 字节覆盖了相邻的全局变量(恰好是 <code>mmap_next</code>),进程一分配匿名内存就跳到奇怪的地址。</p>