svn commit: r243914 - projects/bpfjit

[Jung-uk Kim]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2012-12-06 14:53:15 -0500, Eitan Adler wrote:
> On 6 December 2012 13:10, Jung-uk Kim <jkim at freebsd.org> wrote:
>> , i.e., all you need is read permission to inject code to kernel 
>> space.
> 
> Could you explain what you mean here?

% ls -l /dev/bpf
crw-r-----  1 root  wheel  0x8 12  5 17:08 /dev/bpf
% id -Gn
staff wheel

Note I only have read access to /dev/bpf.

% ktrace tcpdump -i re0 -n -c 1 host xxx.xxx.xxx.xxx > /dev/null
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 65535 bytes
1 packet captured
11 packets received by filter
0 packets dropped by kernel
% kdump | grep ioctl
...
  6615 tcpdump  CALL  ioctl(0x3,BIOCSETF,0x7fffffffd148)
  6615 tcpdump  RET   ioctl 0
...
  6615 tcpdump  CALL  ioctl(0x3,BIOCSETF,0x7fffffffd2b0)
  6615 tcpdump  RET   ioctl 0
...

The first one sets the default read filter.  The second one sets my
read filter.  If we implement another command to upload the native
machine code, it will be very much like this.  Of course, we can only
allow it for root but it will not be very useful.

Jung-uk Kim
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iQEcBAEBAgAGBQJQwQB+AAoJECXpabHZMqHOYfsH/RYDEjdLGo9PkkrouFnWAymj
Yi3FwUixkLVGfa2l59MVWcoMX/+gb44HXYLbMREaljdNQ32LY2P6/Pl3tsVKBVex
HHqIT9zbq4wCP1U5dIEbH1ra5ff+0eDOG3jPFWgG6b8fX4b9ey7uS606GaeFSkpm
py7jO2BsSHe32bImGJvA6QhVYmea0H15yNxn358ZVqMJvHUDN3yxSvRgHOU9jUFW
KhIsRj9/VpspSzvPL2AGCKd50N3u4/gi1O1w07OgIUMbXGWIvxSwahYL1Dra3qD5
1hRNbZGgq5g1+SoDrZzs2JrjwF7X32zo1L0GW40BXGJhdQTu/iMlZEEn4eiS9K4=
=dO58
-----END PGP SIGNATURE-----