This actually requires more investigation. I'll see later; perhaps I'll
just protect DATA.
Le 28/11/2015 19:54, Maxime Villard a écrit :
Hi,
here is a (draft) patch to map the kernel DATA and BSS segments with
the NX/XD bit in the PTEs on i386+amd64.
A nice PoC: patch your (amd64) kernel with the shellcode below, and
launch this:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
sched_getparam(0, 0x01);
}
gcc -m32 -o test test.c
./test
You get a message from the kernel. Code got executed from the static
buffer (which just returns 5). Then, patch your kernel with the pmap
diff, reboot and relaunch the program: the kernel panics.
Finding information on this part of the kernel is not quite easy; I did
test this patch on amd64, but not i386 - my i386 CPU does not support
XD.
Do you have any suggestions? Is there something obviously wrong?
Thanks,
Maxime
