Re: binary patching kernels (ip_frag bug)

David Wragg (davew@gatsby.u-net.com)
21 Apr 1998 21:39:14 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: David Wragg: "Re: context switch time"
Previous message: Steven N. Hirsch: "Re: daemon-less kmod & Alpha no-go!"
In reply to: C. Scott Ananian: "binary patching kernels (ip_frag bug)"

"C. Scott Ananian" <cananian@lcs.mit.edu> writes:
> With regards to the 'load a binary modules and fix the ip_frag bug'
> thread:
> What you really want to do is get a function pointer to ip_glue()
> (relying on modprobe to resolve the address) and poke the bytes beginning
> at ((char *)ip_glue) with a JMP to ip_glue_new, your replacement. (The
> return in ip_glue_new will then effect the return of ip_glue.)

But ip_glue is only used in one place, so why not just overwrite the
pointer to ip_glue with a pointer to ip_glue_new?

>
> This doesn't work if ip_glue isn't exported to module-land, of course, but
> if symbols aren't exported we could have a whole heap of problems.

ip_glue is static, so it isn't exported. But it appears in System.map
so I don't see what the problem is - just give its address as an
argument to the module, and the address of the function that calls
it. The module then just has to search through the code until it finds
a call instruction with the appropriate operand.

As for the references in the ip_glue_new that is compiled, these can
also be looked up in System.map and resolved with a little ld magic.

As long as you have the System.map, it's all well within the bounds of
possibility.

-- Dave Wragg

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu

Next message: David Wragg: "Re: context switch time"
Previous message: Steven N. Hirsch: "Re: daemon-less kmod & Alpha no-go!"
In reply to: C. Scott Ananian: "binary patching kernels (ip_frag bug)"