Exploit Methods/Function pointer overwrite
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Details
When an attacker has a write primitive, they can overwrite function pointers to redirect execution. Function pointers exist in a large number of places in the kernel ranging from function pointer tables (e.g. fops), to vector and descriptor tables.
Examples
Mitigations
- mark function pointer tables "const" when they can be statically assigned, making them read-only for the entire kernel runtime.
- use __ro_after_init on function pointer tables that are only written during __init so they are read-only during the rest of the kernel runtime.
- make all function pointer tables read-only at compile time (e.g. PAX_CONSTIFY_PLUGIN).
- make sensitive targets that need only occasional updates only writable during rare updates (e.g. PAX_KERNEXEC).