Difference between revisions of "Exploit Methods/Function pointer overwrite"

From Linux Kernel Security Subsystem
Jump to navigation Jump to search
Line 9: Line 9:
= Mitigations =
= Mitigations =


* make function pointer tables read-only (e.g. PAX_CONSTIFY_PLUGIN)
* use __ro_after_init on function pointer tables that are only written during __init so they are read-only during the rest of the kernel runtime.
* make sensitive targets that need only occasional updates only writable during updates (e.g. PAX_KERNEXEC)
* make all function pointer tables read-only at compile time (e.g. PAX_CONSTIFY_PLUGIN)
* make sensitive targets that need only occasional updates only writable during rare updates (e.g. PAX_KERNEXEC)

Revision as of 16:13, 14 September 2016

Details

When an attacker has a write primitive, they can overwrite function pointers to redirect execution. Function pointers exist in a large number of places in the kernel ranging from function pointer tables (e.g. fops), to vector and descriptor tables.

Examples

Mitigations

  • use __ro_after_init on function pointer tables that are only written during __init so they are read-only during the rest of the kernel runtime.
  • make all function pointer tables read-only at compile time (e.g. PAX_CONSTIFY_PLUGIN)
  • make sensitive targets that need only occasional updates only writable during rare updates (e.g. PAX_KERNEXEC)