Date: Wed, 4 Apr 2012 15:05:29 +0000 (UTC) From: jb <jb.1234abcd@gmail.com> To: freebsd-stable@freebsd.org Subject: Re: Text relocations in kernel modules Message-ID: <loom.20120404T165909-66@post.gmane.org> References: <CAGE5yCpuvsVrc-%2BDTVas-W4fjuP2s%2B6PQONMOTyEbGnj2CY3ig@mail.gmail.com> <4F766F29.2030803@cs.stonybrook.edu> <CAFHbX1KiZx68MP4bCAvPc0Zui3fA4O35_z3kP781zoJqLYp7Bw@mail.gmail.com> <4F79D88B.3040102@cs.stonybrook.edu> <CAFHbX1KE15G9gx7Duw2R8zC5jL1jiEir0yMB0-s5%2B4xx517WtQ@mail.gmail.com> <4F79E27E.3000509@cs.stonybrook.edu> <CAGE5yCrwLosuTT2yq0DEx%2Bz8ztKpkrB=tORmURcuh_SCz=L7qg@mail.gmail.com> <4F79FCB8.1090003@cs.stonybrook.edu> <CAGE5yCrz45AWeJGv=2UWRq7xpXZVtvsx%2B5O6cvaE6ZzoFrz5mA@mail.gmail.com> <4F7A05C4.9070808@cs.stonybrook.edu> <20120403170259.GA94837@neutralgood.org> <loom.20120404T103230-175@post.gmane.org> <1333550029.1090.67.camel@revolution.hippie.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
Ian Lepore <freebsd <at> damnhippie.dyndns.org> writes: > ... > > But of interest to me is this: > > "... > > Text relocations are a way in which references in the executable code to > > addresses not known at link time are solved. Basically they just write > > the appropriate address at runtime marking the code segment writable in > > order to change the address then unmarking it. This can be a problem as > > an attacker could try to exploit a bug when the text relocation happens > > in order to be able to write arbitrary code in the text segment which > > would be executed. > > ..." > ... > A kernel module is loaded and linked > ONCE, at load time, into the kernel's address space. > ... >From the point of view of an attacker it does not matter whether kernel module is loaded and linked once only. That's enough to create a window of opportunity for interfering with relocation process and modifying text (code). jb
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?loom.20120404T165909-66>