Find the answer to your Linux question:
Results 1 to 4 of 4
Intel/AMD kernel 2.6.32-ARCH I was exploring some kernel modules and came across this weird functionality...Code is writable in kernel modules. .At first I thought this must be a mistake so ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Enthusiast gerard4143's Avatar
    Join Date
    Dec 2007
    Location
    Canada, Prince Edward Island
    Posts
    714

    Writable code in kernel modules?


    Intel/AMD kernel 2.6.32-ARCH

    I was exploring some kernel modules and came across this weird functionality...Code is writable in kernel modules. .At first I thought this must be a mistake so I wrote the kernel module below to check it out and its true a kernel module's code section is writable....how about that.

    In the code below you can alternate between the two different character arrays 'ch[]' and change the execution of the function myfunc.

    The code is pretty simple, in myfunc I save the intruction pointer in eax with a call to 0: and then a pop.
    Once I have the value in eax I add 28 to it, to give me a value in the nop nop instruction range and then I change its value to either {0x90,0x90,0x90,0x90} which has no effect or {0x90,0x90,0x90,0xc3} which causes the function to exit before printk is called...So writing to the code section..How about that.

    Or am I missing something here..

    Code:
    #include <linux/kernel.h>
    #include <linux/module.h>
    
    
    char ch[] = {0x90, 0x90, 0x90, 0x90};
    //char ch[] = {0x90, 0x90, 0x90, 0xc3};
    
    //some compilers require this one//
    //char ch[] = {0x90, 0x90, 0xc9, 0xc3};
    
    //0xc3 -> ret
    
    void myfunc(void)
    {
    	__asm__ __volatile__
    	(	
    	 	"pushl	%ebx\n\t"
    	 	"call	0f\n\t"
    		"0:\n\t"
    		"popl	%eax\n\t"
    		"addl	$28, %eax\n\t"
    		"movl	ch, %ebx\n\t"
    		"movl	%ebx, (%eax)\n\t"
    		"popl	%ebx\n\t"
    		"addl	$4, %esp\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    	 	"nop\n\t"
    		"nop\n\t"
    	);
    	printk(KERN_ALERT"this from here!\n");
    }
    
    
    int init_module()
    {
    	myfunc();
    	return 0;
    }
    
    void cleanup_module()
    {
    	printk(KERN_ALERT"setting everything back...we're out of here!\n");
    }
    Last edited by gerard4143; 02-19-2010 at 09:11 PM.
    Make mine Arch Linux

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,633
    When you write kernel code, you are "god" to the system, and can pretty much do anything you want - caveat developer!
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3
    Linux Enthusiast gerard4143's Avatar
    Join Date
    Dec 2007
    Location
    Canada, Prince Edward Island
    Posts
    714
    Quote Originally Posted by Rubberman View Post
    When you write kernel code, you are "god" to the system, and can pretty much do anything you want - caveat developer!
    Thanks for the response. I knew the developer had free rein in the kernel, I just didn't realize how free..
    Make mine Arch Linux

  4. #4
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,633
    That's why it's good for a lot of eyes to be viewing kernel code, to catch stuff that is malicious, or just stupid... In any case, if you can install a custom kernel or kernel modules on a system, you own it pretty much. That's why only root can perform those operations (normally) and on a lot of internet-facing systems these days root access is restricted to console access only.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •