Tuesday, September 29, 2009

When const really means const

Who cares about const? Its never enforced anyways!?

Except in Linux kernels built with gcc 4.x (maybe even
before?). If you declare a pointer member const
(the thing it points to, not the pointer itself), like
proto_ops in the socket struct, the pointee will be placed in a
RO location which means you cant redirect socket operation
functions like recvmsg(). You have to make the right PTE
writable in order to redirect the functions.
Rootk^H^H^H^H^HCertain debugging LKMs like my unixdump
require to redirect some functions in order to record
whats sent across sockets. unixdump works like tcpdump
for inet sockets. The version which is available now was
written in 2006 for the 2.6.16 kernel and doesnt work with
recent/current ones (and its dirty and hackish anyways).
Thats why I ported it within the last days to current kernels.
It will be uploaded soon.
The way you can modify const members changed in current kernels;
in fact is is easier than before b/c a new function lookup_address()
is exported and you do not need to walk the PGD down.


Anonymous said...

wut wut

it has everything to do with CONFIG_DEBUG_RODATA being on or off

just use WP toggling like you should have been doing years ago

Anonymous said...

I thought you germans couldn't publish attack code!

Anonymous said...

You can't enable CONFIG_WHATEVER on
already running kernels.You have to
work with what you got, therefore needing
to make certain pages writable.

And sure; we can publish attack code :)