Re: Modprobe local root exploit

From: H. Peter Anvin (hpa@transmeta.com)
Date: Thu Nov 16 2000 - 01:16:39 EST


Keith Owens wrote:
>
> On 15 Nov 2000 22:04:47 -0800,
> "H. Peter Anvin" <hpa@zytor.com> wrote:
> >No, it's correct, actually, but probably not what you want. It will
> >include all letters [A-Za-z], but if a module named "ärlig"...
>
> Trying to sanitise the module name in request_module is the wrong fix
> anyway, the kernel can ask for any module name it likes. What it must
> not do is treat user supplied input _unchanged_ as a module name.
>
> modutils 2.3.20 (just released) fixes all the known local root
> exploits, without kernel changes. However 2.3.20 does nothing about
> this problem: "ping6 -I module_name" which lets any user load any
> module. That problem exists because the kernel passes user supplied
> data unchanged to request_module. The only fix is to add a prefix to
> user supplied input (say 'user-interface-') before passing the text to
> request_module. This has to be fixed in the higher layers of the
> kernel, it cannot be fixed in request_module or modprobe.
>

Sure, but if you have to change the kernel anyway you ought to pass the
"--" option so modprobe knows that regardless what the string is, it's a
module name and not an option.

        -hpa

-- 
<hpa@transmeta.com> at work, <hpa@zytor.com> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Thu Nov 23 2000 - 21:00:09 EST