From owner-freebsd-stable@FreeBSD.ORG  Wed Apr  4 17:45:22 2012
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id A60321065672
	for <freebsd-stable@freebsd.org>; Wed,  4 Apr 2012 17:45:22 +0000 (UTC)
	(envelope-from peter@wemm.org)
Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com
	[209.85.160.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 4EFFF8FC12
	for <freebsd-stable@freebsd.org>; Wed,  4 Apr 2012 17:45:22 +0000 (UTC)
Received: by ghrr20 with SMTP id r20so405975ghr.13
	for <freebsd-stable@freebsd.org>; Wed, 04 Apr 2012 10:45:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemm.org; s=google;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	bh=SEU3rXrLA6rnJbBOHTyRR+Fy1C7ZmVgE5hAjgOa2lvY=;
	b=XVWz+eutS/OEACN19jyuihrqthx9UYqPKrntFm4HijtF5zkZLZaGgcdey50hCcj/C+
	zuqac+Bw9b8HkAUfDSJOmS6p4/YHcRIG03kFVdizLQEx4sgWHFSgLUMqldyE2Es9XCsb
	81Tbq9Re8N+purHBH5VFvG+iWzuHfNvMfTw6Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:x-gm-message-state;
	bh=SEU3rXrLA6rnJbBOHTyRR+Fy1C7ZmVgE5hAjgOa2lvY=;
	b=HHODxf8kbFwzG7WRu1ohL0GrboG2UBweJk7SQb5L3fkiLHUKIB/vTdwoN3JutGwhUH
	e/oMvHpbImbRrlpzM4BM/hnGmkqUcephXdTfeh9cvSRe7MTSr+ZQS/LTx5hGoczsHtDH
	deNdZ+K5Bds1wPTkGj/MmNzpifJZLuF8b7Yzr0vIGxJx4wyoP1qEVzKgTc4x7j3pEIeV
	d6UdqsS+MbM6+KNGJu9Q+ef3sn6Z/akvO+w/lBClpRxJt7L9emYducepqLyuPeUn29l0
	2B/rIZgpUz9ryZk9/lohTx1kObCJN3nc9Cl0zMSVvhmSvH0yRpPn44aByAL0S5cFwyQP
	xOTA==
MIME-Version: 1.0
Received: by 10.52.17.239 with SMTP id r15mr7070987vdd.95.1333561521671; Wed,
	04 Apr 2012 10:45:21 -0700 (PDT)
Received: by 10.220.180.199 with HTTP; Wed, 4 Apr 2012 10:45:21 -0700 (PDT)
In-Reply-To: <loom.20120404T192618-4@post.gmane.org>
References: <CAGE5yCpuvsVrc-+DTVas-W4fjuP2s+6PQONMOTyEbGnj2CY3ig@mail.gmail.com>
	<4F766F29.2030803@cs.stonybrook.edu>
	<CAFHbX1KiZx68MP4bCAvPc0Zui3fA4O35_z3kP781zoJqLYp7Bw@mail.gmail.com>
	<4F79D88B.3040102@cs.stonybrook.edu>
	<CAFHbX1KE15G9gx7Duw2R8zC5jL1jiEir0yMB0-s5+4xx517WtQ@mail.gmail.com>
	<4F79E27E.3000509@cs.stonybrook.edu>
	<CAGE5yCrwLosuTT2yq0DEx+z8ztKpkrB=tORmURcuh_SCz=L7qg@mail.gmail.com>
	<4F79FCB8.1090003@cs.stonybrook.edu>
	<CAGE5yCrz45AWeJGv=2UWRq7xpXZVtvsx+5O6cvaE6ZzoFrz5mA@mail.gmail.com>
	<4F7A05C4.9070808@cs.stonybrook.edu>
	<20120403170259.GA94837@neutralgood.org>
	<loom.20120404T103230-175@post.gmane.org>
	<1333550029.1090.67.camel@revolution.hippie.lan>
	<loom.20120404T165909-66@post.gmane.org>
	<CAGE5yCoZuyUhuWRc0orYkB2wuuESuBzzoRNqOvWr-G=a1XOJDA@mail.gmail.com>
	<loom.20120404T192618-4@post.gmane.org>
Date: Wed, 4 Apr 2012 10:45:21 -0700
Message-ID: <CAGE5yCq+A+AyjPfVyiAdDCEDCy0vfyRBCw3tbGMLhdzOzcjnvw@mail.gmail.com>
From: Peter Wemm <peter@wemm.org>
To: jb <jb.1234abcd@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQlWnsq2d1euh6fyvep5HUWL9zYSHJUJb1BW8V897tD9gzTDcWHEM3L7gCOie5/PoWtFs3hZ
Cc: freebsd-stable@freebsd.org
Subject: Re: Text relocations in kernel modules
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2012 17:45:22 -0000

On Wed, Apr 4, 2012 at 10:34 AM, jb <jb.1234abcd@gmail.com> wrote:
> Peter Wemm <peter <at> wemm.org> writes:
>
>> ...
>> There is no way to interfere because it is done outside of user space
>> entirely, **after** the file has been copied out of the file system.
>> You can do whatever you like to the file, but it has no effect because
>> all the relocation is done in a private kernel copy.
>> ...
>
> What if attack code (broadly understood) is part of module code, and is based
> on either or both of:
> - hidden (as to meaning and reloc targets) arrangement of relocations needed
> - has an ability of (self) activation during load/link and *relocations* process
> already under the privilege of the kernel ?
>
> Is that possible at all ?
> Would there be any protection against it (except giving up relocations as
> an enabling vehicle) ?

1) If you can convince the superuser directly or indirectly to load a
.ko file of your creation or under your control, it doesn't matter
what the relocation state is. You already own the machine.
2) If you can write to kernel memory, you already own the machine,
regardless of relocations.
3) There is no difference in any way between a text relocation and a
non-text relocation inside kernel mode.
4) The user doesn't have any influence over the relocation process in
any way except by #1 and #2, in which case relocations don't matter,
because you already own the machine.
5) If you own the machine's kernel, you can hide anything you wish.
Relocations are not a factor in this.

-- 
Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com; KI6FJV
"All of this is for nothing if we don't go to the stars" - JMS/B5
"If Java had true garbage collection, most programs would delete
themselves upon execution." -- Robert Sewell