[wplug] OpenAFS: sys_call_table
jo2y at midnightlinux.com
jo2y at midnightlinux.com
Tue Dec 7 20:19:33 EST 2004
On Mon, 6 Dec 2004, Brandon Kuczenski wrote:
> The circumstances are like this: The openafs module (openafs.o) needs to
> be compiled specially for custom kernels, except when doing so I get the
> error message, "no available sys_call_table method". I looked into this
> quite a bit for my last install (Redhat 9, with Linux 2.4.22) and now
> (Debian 3, Linux 2.6.8) I have the same problem, which I was hoping would
> have gone away with the 2.6 kernel. It hasn't.
I've seen that sys_call_table error every once in a while. I'm not 100%
sure what the fix is, but I do think it has to do with the kernel source
tree being in a state different from what the openafs module expects. I
would try doing a make oldconfig in the top-level of your kernel tree and
try to compile the module again.
As I understand it from talking with some openafs developers months ago,
the situation is worse in the 2.6 kernel, and any issues you might be
seeing with 2.4 are backports of 2.6 changes. Or something similar.
NFS would have a similar problem except that the kernel people in charge
use NFS so they made a way for it to work. When the openafs people said
they needed something similar they were told to wait while the interface
was rethought and to wait for 2.8. Until then, the openafs'ers were going
to resort to other methods at guessing where the symbol table exists in
memory.
As for that kernel patch, alone it's probably okay, but it opens (maybe
just reopens) a way for random kernel modules to poke at the
sys_call_table. If said module were malicious, it could make arbitrary
changes to system calls. Off the top of my head, an example that could be
done is changing a sys_stat call to be sys_unlink. This would have the
effect of turning ls -l into rm -f.
Now this isn't a concern if a malicious module cannot be loaded, which
means that root-capable accounts need to be protected. (Which should be
the standard procedure anyway.)
And I'm probably missing some details.
-james
More information about the wplug
mailing list