Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 4 Apr 2012 09:13:50 -0700
From:      Peter Wemm <peter@wemm.org>
To:        jb <jb.1234abcd@gmail.com>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: Text relocations in kernel modules
Message-ID:  <CAGE5yCoZuyUhuWRc0orYkB2wuuESuBzzoRNqOvWr-G=a1XOJDA@mail.gmail.com>
In-Reply-To: <loom.20120404T165909-66@post.gmane.org>
References:  <CAGE5yCpuvsVrc-%2BDTVas-W4fjuP2s%2B6PQONMOTyEbGnj2CY3ig@mail.gmail.com> <4F766F29.2030803@cs.stonybrook.edu> <CAFHbX1KiZx68MP4bCAvPc0Zui3fA4O35_z3kP781zoJqLYp7Bw@mail.gmail.com> <4F79D88B.3040102@cs.stonybrook.edu> <CAFHbX1KE15G9gx7Duw2R8zC5jL1jiEir0yMB0-s5%2B4xx517WtQ@mail.gmail.com> <4F79E27E.3000509@cs.stonybrook.edu> <CAGE5yCrwLosuTT2yq0DEx%2Bz8ztKpkrB=tORmURcuh_SCz=L7qg@mail.gmail.com> <4F79FCB8.1090003@cs.stonybrook.edu> <CAGE5yCrz45AWeJGv=2UWRq7xpXZVtvsx%2B5O6cvaE6ZzoFrz5mA@mail.gmail.com> <4F7A05C4.9070808@cs.stonybrook.edu> <20120403170259.GA94837@neutralgood.org> <loom.20120404T103230-175@post.gmane.org> <1333550029.1090.67.camel@revolution.hippie.lan> <loom.20120404T165909-66@post.gmane.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 4, 2012 at 8:05 AM, jb <jb.1234abcd@gmail.com> wrote:
> Ian Lepore <freebsd <at> damnhippie.dyndns.org> writes:
>
>> ...
>> > But of interest to me is this:
>> > "...
>> > Text relocations are a way in which references in the executable code to
>> > addresses not known at link time are solved. Basically they just write
>> > the appropriate address at runtime marking the code segment writable in
>> > order to change the address then unmarking it. This can be a problem as
>> > an attacker could try to exploit a bug when the text relocation happens
>> > in order to be able to write arbitrary code in the text segment which
>> > would be executed.
>> > ..."
>> ...
>> A kernel module is loaded and linked
>> ONCE, at load time, into the kernel's address space.
>> ...
>
> >From the point of view of an attacker it does not matter whether kernel module
> is loaded and linked once only. That's enough to create a window of opportunity
> for interfering with relocation process and modifying text (code).

There is no way to interfere because it is done outside of user space
entirely, **after** the file has been copied out of the file system.
You can do whatever you like to the file, but it has no effect because
all the relocation is done in a private kernel copy.

In linux, the module tools do the linking and hand the resulting block
of memory to the kernel.  In freebsd, the module tools are third
parties in the process.

The copy is done while the vnode is locked.  Any attempt to write to
the file, or page fault via a mmap(MAP_SHARED) will sleep till the
lock is released and the kernel has completed the copy of the
contents.  Once the lock is released, it doesn't matter what you do
because the kernel is operating on a private, non-shared copy that you
can't get anywhere near.

-- 
Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com; KI6FJV
"All of this is for nothing if we don't go to the stars" - JMS/B5
"If Java had true garbage collection, most programs would delete
themselves upon execution." -- Robert Sewell



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGE5yCoZuyUhuWRc0orYkB2wuuESuBzzoRNqOvWr-G=a1XOJDA>