Text relocations in kernel modules

[Peter Wemm]

On Wed, Apr 4, 2012 at 1:38 AM, jb <jb.1234abcd at gmail.com> wrote:
>  <kpneal <at> pobox.com> writes:
>
>> ...
>> You can appeal to authority by saying the Gentoo Hardened developers said
>> such-and-such all you want, but it would be more useful for you to be able
>> to make specific technical arguments yourself. Saying "it could be a
>> problem" or "in the wild there may be" isn't useful. A valid technical
>> argument giving a mechanism for relocations to be exploited is all that
>> is needed for you to prove your point.
>> ...
>
> I have a question regarding security of FreeBSD kernel module loading and
> relocation.
>
> According to KLDLOAD(8):
> "...The kldload utility loads file.ko into the kernel using the kernel
>     linker. ..."
>
> So, kernel module is loaded:
> # kldload /boot/kernel/foo.ko
>
> Here is my question: is foo.ko modified at this time ? Due to relocations ?
>
> The reason I ask about it is this Gentoo Hardened FAQ item:
>
> http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#paxnoelf
>
> "I keep getting the message: "error while loading shared libraries: cannot make
> segment writable for relocation: Permission denied." What does this mean?"
>
> I understand this is about .so and does not apply directly to .ko .
>
> But of interest to me is this:
> "...
> Text relocations are a way in which references in the executable code to
> addresses not known at link time are solved. Basically they just write
> the appropriate address at runtime marking the code segment writable in order
> to change the address then unmarking it. This can be a problem as an attacker
> could try to exploit a bug when the text relocation happens in order to be able
> to write arbitrary code in the text segment which would be executed.
> ..."
>
> Now, let me apply the above quoted paragraph to .ko and ask my question again,
> this time being more specific:
>
> are you doing any "marking" and "unmarking" of it at relocations and load time,
> thus creating an attack window opportunity ?

In this particular case, no, there is no marking or unmarking.

What happens is:
kldload(2) syscall is performed with a pathname, in this case
"/boot/kernel/foo.ko".
The kernel locks the file.
The kernel allocates a chunk of private, kernel-only data at a non
deterministic address.
The kernel *copies* the file from the file system into this allocated
kernel-only memory.  This isn't a mmap, its a read/memcpy type
operation.
The kernel unlocks the file.
After the kernel has a private, non-shared copy of the file, it
resolves outstanding symbols and relocations in its private,
non-shared, non-user-accessible space.
The kernel finally tells the user if the kldload() syscall was
successful or not.

ld.so is not involved, which is where those errors would come from.
Nothing is shared, nothing is marked or unmarked.  All of these
operations happen outside of user visibility.  We don't even have a
way to report specific errors to the user, they're reported on the
console.

-- 
Peter Wemm - peter at wemm.org; peter at FreeBSD.org; peter at yahoo-inc.com; KI6FJV
"All of this is for nothing if we don't go to the stars" - JMS/B5
"If Java had true garbage collection, most programs would delete
themselves upon execution." -- Robert Sewell