Very Computer

by **Peter Oberparleite** » Tue, 09 Jul 2002 17:40:07

Hi,

this patch fixes two minor bugs in kernel/module.c in current linux
kernel versions (2.4.18/2.5.24) which could cause problems in some
rare situations:

1. A size-check in sys_create_module is off by one. The check reads

if (size < sizeof(struct module)+namelen) {
error = -EINVAL;
goto err1;
}

while a subsequent write to a "size"-long buffer expects one more
byte ("mod" being the buffer pointer of type struct module*):

memcpy((char*)(mod+1), name, namelen+1);

2. In case "struct module" used by insmod is larger than the one used
by the kernel (e.g. newer version), module loading will fail.

This is because sys_create_module initializes the module buffer with

0: struct module
sizeof(struct module): char[] module_name

while sys_init_module copies the insmod-provided "struct module" data into
this buffer, overwriting the adjacent module name with the extra "struct
module" fields. As a result, the following sanity check will fail

if (namelen != n_namelen || strcmp(n_name, mod_tmp.name) != 0) {
printk(KERN_ERR "init_module: changed module name to "
"%s' from %s'\n",
n_name, mod_tmp.name);
goto err3;
}

because mod_tmp.name points to the overwritten module name.

This can be easily fixed using the already existing copy of the module name
in "name_tmp".

Following is the patch implementing these two fixes (diff against 2.4.17,
works for 2.4.18, 2.5.24):

========================================
--- linux-2.4.17/kernel/module.c Sun Nov 11 20:23:14 2001

error = namelen;
goto err0;
}
- if (size < sizeof(struct module)+namelen) {
+ if (size < sizeof(struct module)+namelen+1) {
error = -EINVAL;
goto err1;

error = n_namelen;
goto err2;
}
- if (namelen != n_namelen || strcmp(n_name, mod_tmp.name) != 0) {
+ if (namelen != n_namelen || strcmp(n_name, name_tmp) != 0) {
printk(KERN_ERR "init_module: changed module name to "
"`%s' from `%s'\n",
- n_name, mod_tmp.name);
+ n_name, name_tmp);
goto err3;
}

========================================

Regards,
Peter Oberparleiter
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

by **Keith Owen** » Tue, 09 Jul 2002 20:10:06

On Mon, 8 Jul 2002 10:27:50 +0200,

>this patch fixes two minor bugs in kernel/module.c in current linux
>kernel versions (2.4.18/2.5.24) which could cause problems in some
>rare situations:
>1. A size-check in sys_create_module is off by one. The check reads
>2. In case "struct module" used by insmod is larger than the one used
>by the kernel (e.g. newer version), module loading will fail.

Looks good. Linus/Marcelo, please apply.

========================================
--- linux-2.4.17/kernel/module.c Sun Nov 11 20:23:14 2001

error = namelen;
goto err0;
}
- if (size < sizeof(struct module)+namelen) {
+ if (size < sizeof(struct module)+namelen+1) {
error = -EINVAL;
goto err1;

error = n_namelen;
goto err2;
}
- if (namelen != n_namelen || strcmp(n_name, mod_tmp.name) != 0) {
+ if (namelen != n_namelen || strcmp(n_name, name_tmp) != 0) {
printk(KERN_ERR "init_module: changed module name to "
"`%s' from `%s'\n",
- n_name, mod_tmp.name);
+ n_name, name_tmp);
goto err3;
}

========================================

Quote:>Regards,
> Peter Oberparleiter

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Very Computer

2.4.18/2.5.24 kernel/module.c - minor bugs

2.4.18/2.5.24 kernel/module.c - minor bugs

2.4.18/2.5.24 kernel/module.c - minor bugs