Exploit Methods/Function pointer overwrite
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Details
When an attacker has a write primitive, they can overwrite function pointers to redirect execution. Function pointers exist in a large number of places in the kernel ranging from function pointer tables (e.g. fops), to vector and descriptor tables.
Examples
Mitigations
- make function pointer tables read-only (e.g. PAX_CONSTIFY_PLUGIN)
- make sensitive targets that need only occasional updates only writable during updates (e.g. PAX_KERNEXEC)