[patch] 2.4.18/2.5.24 kernel/module.c - minor bugs

From: Peter Oberparleiter (oberpapr@softhome.net)
Date: Mon Jul 08 2002 - 03:27:50 EST

Next message: J.A. Magallon: "[PATCHSET] Linux 2.4.19-rc1-jam1"
Previous message: Andi Kleen: "Re: IPv6 multiple routing tables"
Next in thread: Keith Owens: "Re: [patch] 2.4.18/2.5.24 kernel/module.c - minor bugs"
Reply: Keith Owens: "Re: [patch] 2.4.18/2.5.24 kernel/module.c - minor bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

this patch fixes two minor bugs in kernel/module.c in current linux
kernel versions (2.4.18/2.5.24) which could cause problems in some
rare situations:

1. A size-check in sys_create_module is off by one. The check reads

        if (size < sizeof(struct module)+namelen) {
                error = -EINVAL;
                goto err1;
        }

while a subsequent write to a "size"-long buffer expects one more
byte ("mod" being the buffer pointer of type struct module*):

memcpy((char*)(mod+1), name, namelen+1);

2. In case "struct module" used by insmod is larger than the one used
by the kernel (e.g. newer version), module loading will fail.

This is because sys_create_module initializes the module buffer with

0: struct module
sizeof(struct module): char[] module_name

while sys_init_module copies the insmod-provided "struct module" data into
this buffer, overwriting the adjacent module name with the extra "struct
module" fields. As a result, the following sanity check will fail

        if (namelen != n_namelen || strcmp(n_name, mod_tmp.name) != 0) {
                printk(KERN_ERR "init_module: changed module name to "
                                "%s' from %s'\n",
                       n_name, mod_tmp.name);
                goto err3;
        }

because mod_tmp.name points to the overwritten module name.

This can be easily fixed using the already existing copy of the module name
in "name_tmp".

Following is the patch implementing these two fixes (diff against 2.4.17,
works for 2.4.18, 2.5.24):

========================================
--- linux-2.4.17/kernel/module.c Sun Nov 11 20:23:14 2001
+++ linux-2.4.17-modfix/kernel/module.c Mon Jul 8 09:50:57 2002
@@ -303,7 +303,7 @@
                 error = namelen;
                 goto err0;
         }
- if (size < sizeof(struct module)+namelen) {
+ if (size < sizeof(struct module)+namelen+1) {
                 error = -EINVAL;
                 goto err1;
         }
@@ -482,10 +482,10 @@
                 error = n_namelen;
                 goto err2;
         }
- if (namelen != n_namelen || strcmp(n_name, mod_tmp.name) != 0) {
+ if (namelen != n_namelen || strcmp(n_name, name_tmp) != 0) {
                 printk(KERN_ERR "init_module: changed module name to "
                                 "`%s' from `%s'\n",
- n_name, mod_tmp.name);
+ n_name, name_tmp);
                 goto err3;
         }

========================================

Regards,
Peter Oberparleiter
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: J.A. Magallon: "[PATCHSET] Linux 2.4.19-rc1-jam1"
Previous message: Andi Kleen: "Re: IPv6 multiple routing tables"
Next in thread: Keith Owens: "Re: [patch] 2.4.18/2.5.24 kernel/module.c - minor bugs"
Reply: Keith Owens: "Re: [patch] 2.4.18/2.5.24 kernel/module.c - minor bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Mon Jul 15 2002 - 22:00:12 EST