Writable code in kernel modules?

[gerard4143]

Intel/AMD kernel 2.6.32-ARCH

I was exploring some kernel modules and came across this weird functionality...Code is writable in kernel modules. .At first I thought this must be a mistake so I wrote the kernel module below to check it out and its true – a kernel module's code section is writable....how about that.

In the code below you can alternate between the two different character arrays 'ch[]' and change the execution of the function myfunc.

The code is pretty simple, in myfunc I save the intruction pointer in eax with a call to 0: and then a pop.
Once I have the value in eax I add 28 to it, to give me a value in the nop – nop instruction range and then I change its value to either {0x90,0x90,0x90,0x90} which has no effect or {0x90,0x90,0x90,0xc3} which causes the function to exit before printk is called...So writing to the code section..How about that.

Or am I missing something here..

Code:

#include <linux/kernel.h>
#include <linux/module.h>


char ch[] = {0x90, 0x90, 0x90, 0x90};
//char ch[] = {0x90, 0x90, 0x90, 0xc3};

//some compilers require this one//
//char ch[] = {0x90, 0x90, 0xc9, 0xc3};

//0xc3 -> ret

void myfunc(void)
{
	__asm__ __volatile__
	(	
	 	"pushl	%ebx\n\t"
	 	"call	0f\n\t"
		"0:\n\t"
		"popl	%eax\n\t"
		"addl	$28, %eax\n\t"
		"movl	ch, %ebx\n\t"
		"movl	%ebx, (%eax)\n\t"
		"popl	%ebx\n\t"
		"addl	$4, %esp\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
	 	"nop\n\t"
		"nop\n\t"
	);
	printk(KERN_ALERT"this from here!\n");
}


int init_module()
{
	myfunc();
	return 0;
}

void cleanup_module()
{
	printk(KERN_ALERT"setting everything back...we're out of here!\n");
}

[Rubberman]

When you write kernel code, you are "god" to the system, and can pretty much do anything you want - caveat developer!

[gerard4143]

When you write kernel code, you are "god" to the system, and can pretty much do anything you want - caveat developer!

Thanks for the response. I knew the developer had free rein in the kernel, I just didn't realize how free..

[Rubberman]

That's why it's good for a lot of eyes to be viewing kernel code, to catch stuff that is malicious, or just stupid... In any case, if you can install a custom kernel or kernel modules on a system, you own it pretty much. That's why only root can perform those operations (normally) and on a lot of internet-facing systems these days root access is restricted to console access only.