How to get swapper_pg_dir address from an ARM64 program with kernel read/write capabilties?

Question

I have a program that can read and write to kernel memory and I want to get the address of swapper_pg_dir. The device in question is running Android with ARM64 architecture and has kASLR enabled.

swapper_pg_dir is not printed to /proc/kallsyms and what I tried to do was getting the swapper_pg_dir address from System.map (got by compiling the kernel source) and calculate the offset using /proc/kallsyms, and using it to calculate the current swapper_pg_dir address. But the resulting address seems to be wrong because the program cannot read memory from it (reading memory from this address returns some strings that are mostly of the format "u:object_r:####_prop:s0" which usually happens when the memory is not mapped)

Also, flashing a modified kernel or loading a kernel module is not an option because the bootloader is locked (and unlocking is not allowed) in this device.

So what could be a possible way to get the swapper_pg_dir address? It could be possible to read from a structure (whose address is exported in kallsyms or can be calculated) that has this as a variable but I have yet to find such a structure.

Answer 1

Use the following command. Note that you must configure the kernel.

cat /sys/kernel/debug/kernel_page_tables | grep swapper_pg_dir .

Answer 2

The structure init_mm contains the swapper_pg_dir address.

struct mm_struct init_mm = {
[...]
  .pgd = swapper_pg_dir,
[...]
};

In my case it was located at the address 64 bytes after the init_mm address.

Answer 3

what is your end goal ?

accornding to head.S

/*
 * swapper_pg_dir is the virtual address of the initial page table. We place
 * the page tables 3 * PAGE_SIZE below KERNEL_RAM_VADDR. The idmap_pg_dir has
 * 2 pages and is placed below swapper_pg_dir.
 */

and KERNEL_RAM_VADDR is

#define KERNEL_RAM_VADDR    (PAGE_OFFSET + TEXT_OFFSET)

page_size can be queried from proc.

these addresses will give you your address of swapper_pg_dir.