Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 4 Apr 2012 08:38:48 +0000 (UTC)
From:      jb <jb.1234abcd@gmail.com>
To:        freebsd-stable@freebsd.org
Subject:   Re:  Text relocations in kernel modules
Message-ID:  <loom.20120404T103230-175@post.gmane.org>
References:  <CAGE5yCpuvsVrc-%2BDTVas-W4fjuP2s%2B6PQONMOTyEbGnj2CY3ig@mail.gmail.com> <4F766F29.2030803@cs.stonybrook.edu> <CAFHbX1KiZx68MP4bCAvPc0Zui3fA4O35_z3kP781zoJqLYp7Bw@mail.gmail.com> <4F79D88B.3040102@cs.stonybrook.edu> <CAFHbX1KE15G9gx7Duw2R8zC5jL1jiEir0yMB0-s5%2B4xx517WtQ@mail.gmail.com> <4F79E27E.3000509@cs.stonybrook.edu> <CAGE5yCrwLosuTT2yq0DEx%2Bz8ztKpkrB=tORmURcuh_SCz=L7qg@mail.gmail.com> <4F79FCB8.1090003@cs.stonybrook.edu> <CAGE5yCrz45AWeJGv=2UWRq7xpXZVtvsx%2B5O6cvaE6ZzoFrz5mA@mail.gmail.com> <4F7A05C4.9070808@cs.stonybrook.edu> <20120403170259.GA94837@neutralgood.org>

next in thread | previous in thread | raw e-mail | index | archive | help
 <kpneal <at> pobox.com> writes:

> ... 
> You can appeal to authority by saying the Gentoo Hardened developers said
> such-and-such all you want, but it would be more useful for you to be able
> to make specific technical arguments yourself. Saying "it could be a
> problem" or "in the wild there may be" isn't useful. A valid technical
> argument giving a mechanism for relocations to be exploited is all that
> is needed for you to prove your point.
> ...

I have a question regarding security of FreeBSD kernel module loading and
relocation.

According to KLDLOAD(8): 
"...The kldload utility loads file.ko into the kernel using the kernel
     linker. ..."

So, kernel module is loaded:
# kldload /boot/kernel/foo.ko

Here is my question: is foo.ko modified at this time ? Due to relocations ?

The reason I ask about it is this Gentoo Hardened FAQ item:

http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#paxnoelf

"I keep getting the message: "error while loading shared libraries: cannot make
segment writable for relocation: Permission denied." What does this mean?"

I understand this is about .so and does not apply directly to .ko .

But of interest to me is this:
"...
Text relocations are a way in which references in the executable code to
addresses not known at link time are solved. Basically they just write
the appropriate address at runtime marking the code segment writable in order
to change the address then unmarking it. This can be a problem as an attacker
could try to exploit a bug when the text relocation happens in order to be able
to write arbitrary code in the text segment which would be executed.
..."

Now, let me apply the above quoted paragraph to .ko and ask my question again,
this time being more specific:

are you doing any "marking" and "unmarking" of it at relocations and load time,
thus creating an attack window opportunity ?

jb





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?loom.20120404T103230-175>