Text relocations in kernel modules
jb
jb.1234abcd at gmail.com
Wed Apr 4 15:05:51 UTC 2012
Ian Lepore <freebsd <at> damnhippie.dyndns.org> writes:
> ...
> > But of interest to me is this:
> > "...
> > Text relocations are a way in which references in the executable code to
> > addresses not known at link time are solved. Basically they just write
> > the appropriate address at runtime marking the code segment writable in
> > order to change the address then unmarking it. This can be a problem as
> > an attacker could try to exploit a bug when the text relocation happens
> > in order to be able to write arbitrary code in the text segment which
> > would be executed.
> > ..."
> ...
> A kernel module is loaded and linked
> ONCE, at load time, into the kernel's address space.
> ...
>From the point of view of an attacker it does not matter whether kernel module
is loaded and linked once only. That's enough to create a window of opportunity
for interfering with relocation process and modifying text (code).
jb
More information about the freebsd-stable
mailing list