Re: [RFC PATCH v1] module: Fix kernel panic when a symbol st_shndx is out of bounds

Next message: Markus Elfring: "Re: [PATCH net] net: wwan: iosm: Fix memory leak in ipc_mux_deinit()"
Previous message: Ruidong Tian: "[PATCH v5 17/17] trace, ras: add ARM RAS extension trace event"
In reply to: Alexei Starovoitov: "Re: [RFC PATCH v1] module: Fix kernel panic when a symbol st_shndx is out of bounds"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Petr Pavlu

Date: Tue Dec 30 2025 - 04:14:17 EST

On 12/24/25 1:57 AM, Ihor Solodrai wrote:
> [...]
> ---
> kernel/module/main.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/kernel/module/main.c b/kernel/module/main.c
> index 710ee30b3bea..5bf456fad63e 100644
> --- a/kernel/module/main.c
> +++ b/kernel/module/main.c
> @@ -1568,6 +1568,13 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
> break;
>
> default:
> + if (sym[i].st_shndx >= info->hdr->e_shnum) {
> + pr_err("%s: Symbol %s has an invalid section index %u (max %u)\n",
> + mod->name, name, sym[i].st_shndx, info->hdr->e_shnum - 1);
> + ret = -ENOEXEC;
> + break;
> + }
> +
> /* Divert to percpu allocation if a percpu var. */
> if (sym[i].st_shndx == info->index.pcpu)
> secbase = (unsigned long)mod_percpu(mod);

The module loader should always at least get through the signature and
blacklist checks without crashing due to a corrupted ELF file. After
that point, the module content is to be trusted, but we try to error out
for most issues that would cause problems later on.

In this specific case, I think it is useful to add this check because
the code potentially crashes on a valid module that uses SHN_XINDEX. The
loader already rejects sh_link and sh_info values that are above e_shnum
in several places, so the patch is consistent with that behavior.

I suggest adding a proper commit description and sending a non-RFC
version.

--
Thanks,
Petr