Re: [PATCH] kmod: verify module name before invoking modprobe

From: Song Chen
Date: Tue Nov 12 2024 - 21:26:44 EST

Next message: Stefan Berger: "Re: [PATCH v2] ima: Suspend PCR extends and log appends when rebooting"
Previous message: Yuvaraj Ranganathan: "[PATCH V3 1/2] dt-bindings: crypto: qcom,prng: document QCS8300"
In reply to: Petr Pavlu: "Re: [PATCH] kmod: verify module name before invoking modprobe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Petr,

Please see my inline comments, many thanks.

BR

Song

在 2024/11/12 20:56, Petr Pavlu 写道:

On 11/10/24 12:42, Song Chen wrote:

Sometimes when kernel calls request_module to load a module
into kernel space, it doesn't pass the module name appropriately,
and request_module doesn't verify it as well.

As a result, modprobe is invoked anyway and spend a lot of time
searching a nonsense name.

For example reported from a customer, he runs a user space process
to call ioctl(fd, SIOCGIFINDEX, &ifr), the callstack in kernel is
like that:
dev_ioctl(net/core/dev_iovtl.c)
dev_load
request_module("netdev-%s", name);
or request_module("%s", name);

However if name of NIC is empty, neither dev_load nor request_module
checks it at the first place, modprobe will search module "netdev-"
in its default path, env path and path configured in etc for nothing,
increase a lot system overhead.

To address this problem, this patch copies va_list and introduces
a helper is_module_name_valid to verify the parameters validity
one by one, either null or empty. if it fails, no modprobe invoked.

I'm not sure if I fully follow why this should be addressed at the
request_module() level. If the user repeatedly invokes SIOCGIFINDEX with
an empty name and this increases their system load, wouldn't it be
better to update the userspace to prevent this non-sense request in the
first place?

If the user process knew, it wouldn't make the mistake. moreover, what happened in dev_load was quite confusing, please see the code below:

no_module = !dev;
if (no_module && capable(CAP_NET_ADMIN))
no_module = request_module("netdev-%s", name);
if (no_module && capable(CAP_SYS_MODULE))
request_module("%s", name);

Running the same process, sys admin or root user spends more time than normal user, it took a while for us to find the cause, that's why i tried to fix it in kernel.

Similarly, if something should be done in the kernel,

wouldn't it be more straightforward for dev_ioctl()/dev_load() to check
this case?

I thought about it at the beginning, not only dev_ioctl/dev_load but also other request_module callers should check this case as well, that would be too much effort, then I switched to check it at the beginning of request_module which every caller goes through.

I think the same should in principle apply to other places that might
invoke request_module() with "%s" and a bogus value. The callers can
appropriately decide if their request makes sense and should be
fixed/improved.

Callees are obliged to do fault tolerance for callers, or at least let them know what is going on inside, what kinds of mistake they are making, there are a lot of such cases in kernel, such as call_modprobe in kernel/module/kmod.c, it checks if orig_module_name is NULL.

Song

Next message: Stefan Berger: "Re: [PATCH v2] ima: Suspend PCR extends and log appends when rebooting"
Previous message: Yuvaraj Ranganathan: "[PATCH V3 1/2] dt-bindings: crypto: qcom,prng: document QCS8300"
In reply to: Petr Pavlu: "Re: [PATCH] kmod: verify module name before invoking modprobe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]