Re: x86: map kernel DATA+BSS with NX/XD bit

To: tech-kern%netbsd.org@localhost
Subject: Re: x86: map kernel DATA+BSS with NX/XD bit
From: Maxime Villard <max%m00nbsd.net@localhost>
Date: Sat, 5 Dec 2015 17:11:39 +0100

This actually requires more investigation. I'll see later; perhaps I'll
just protect DATA.

Le 28/11/2015 19:54, Maxime Villard a écrit :

Hi,
here is a (draft) patch to map the kernel DATA and BSS segments with
the NX/XD bit in the PTEs on i386+amd64.

A nice PoC: patch your (amd64) kernel with the shellcode below, and
launch this:

	#include <stdio.h>
	#include <stdlib.h>
	#include <unistd.h>
	int main() {
		sched_getparam(0, 0x01);
	}

	gcc -m32 -o test test.c
	./test

You get a message from the kernel. Code got executed from the static
buffer (which just returns 5). Then, patch your kernel with the pmap
diff, reboot and relaunch the program: the kernel panics.

Finding information on this part of the kernel is not quite easy; I did
test this patch on amd64, but not i386 - my i386 CPU does not support
XD.

Do you have any suggestions? Is there something obviously wrong?

Thanks,
Maxime

References:
- x86: map kernel DATA+BSS with NX/XD bit
  - From: Maxime Villard

Prev by Date: Re: Potential problem with reading data from usb devices with ugen(4)
Next by Date: Re: Potential problem with reading data from usb devices with ugen(4)
Previous by Thread: Re: x86: map kernel DATA+BSS with NX/XD bit
Next by Thread: Kernel free() and NULL-safety
Indexes:

Home | Main Index | Thread Index | Old Index