On Thu, 7 Oct 2004 14:52:21 +0200 (CEST), Jirka Kosina <jikos@xxxxxxxx> wrote: > On Tue, 5 Oct 2004, Jon Masters wrote: > > > Personally I think it would be nice to be able to modify it more easily > > but that would require some redesign to add the various protections > > necessary. For example when the next exploit comes out which affects the > > vm syscalls I'd prefer a loadable module fix. (this is speaking as an > > occasional admin with production boxes kicking around that we rely upon > > not needed to be rebooted every 5 minutes - i.e. most so called "real > > world" users). > > In these "unusual" cases, it is still usually possible to find a way how > to code quick-and-dirty hotfix LKM, preventning the exploitation of the > bug. I didn't argue that. > First thing is, that even without sys_call_table[] being exported to > modules, it is still possible to find the address where it resides, using > some heuristics (like finding adjacent exported modules, and look for > sys_call_table[] signature between these addresses, or even better, get it > from known offset). I implied that somewhere but I was probably likely to be on about using objdump to work out the offset in the currently running kernel - or something much much more horrible. > Second thing is, that usually it is possible to hotfix > those bugs even without messing with sys_call_table[] Sure. I wasn't trying to cover all the bases, just enough to convince people that it's not a good idea to twiddle bits of sys_call_table but it's possible in a real emergency[0]. Cheers, Jon. [0] Try ever doing that on a Windows 2000-and-shite+ server. -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
