From owner-freebsd-stable@FreeBSD.ORG Wed Apr 4 08:39:02 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F05D21065673 for ; Wed, 4 Apr 2012 08:39:02 +0000 (UTC) (envelope-from freebsd-stable@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id A34128FC18 for ; Wed, 4 Apr 2012 08:39:02 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1SFLk3-0000WX-Ew for freebsd-stable@freebsd.org; Wed, 04 Apr 2012 10:38:59 +0200 Received: from np-19-75.prenet.pl ([np-19-75.prenet.pl]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 04 Apr 2012 10:38:59 +0200 Received: from jb.1234abcd by np-19-75.prenet.pl with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 04 Apr 2012 10:38:59 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-stable@freebsd.org From: jb Date: Wed, 4 Apr 2012 08:38:48 +0000 (UTC) Lines: 50 Message-ID: References: <4F766F29.2030803@cs.stonybrook.edu> <4F79D88B.3040102@cs.stonybrook.edu> <4F79E27E.3000509@cs.stonybrook.edu> <4F79FCB8.1090003@cs.stonybrook.edu> <4F7A05C4.9070808@cs.stonybrook.edu> <20120403170259.GA94837@neutralgood.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 79.139.19.75 (Mozilla/5.0 (X11; FreeBSD i386; rv:10.0.2) Gecko/20100101 Firefox/10.0.2) Subject: Re: Text relocations in kernel modules X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Apr 2012 08:39:03 -0000 pobox.com> writes: > ... > You can appeal to authority by saying the Gentoo Hardened developers said > such-and-such all you want, but it would be more useful for you to be able > to make specific technical arguments yourself. Saying "it could be a > problem" or "in the wild there may be" isn't useful. A valid technical > argument giving a mechanism for relocations to be exploited is all that > is needed for you to prove your point. > ... I have a question regarding security of FreeBSD kernel module loading and relocation. According to KLDLOAD(8): "...The kldload utility loads file.ko into the kernel using the kernel linker. ..." So, kernel module is loaded: # kldload /boot/kernel/foo.ko Here is my question: is foo.ko modified at this time ? Due to relocations ? The reason I ask about it is this Gentoo Hardened FAQ item: http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#paxnoelf "I keep getting the message: "error while loading shared libraries: cannot make segment writable for relocation: Permission denied." What does this mean?" I understand this is about .so and does not apply directly to .ko . But of interest to me is this: "... Text relocations are a way in which references in the executable code to addresses not known at link time are solved. Basically they just write the appropriate address at runtime marking the code segment writable in order to change the address then unmarking it. This can be a problem as an attacker could try to exploit a bug when the text relocation happens in order to be able to write arbitrary code in the text segment which would be executed. ..." Now, let me apply the above quoted paragraph to .ko and ask my question again, this time being more specific: are you doing any "marking" and "unmarking" of it at relocations and load time, thus creating an attack window opportunity ? jb