[patch] 2.4.18/2.5.24 kernel/module.c - minor bugs

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Andi Kleen: "Re: IPv6 multiple routing tables"
• Previous message: Joe Thornber: "Re: linux 2.5.25 (and LVM)"
• Next in thread: Keith Owens: "Re: [patch] 2.4.18/2.5.24 kernel/module.c - minor bugs"
• Reply: Keith Owens: "Re: [patch] 2.4.18/2.5.24 kernel/module.c - minor bugs"

this patch fixes two minor bugs in kernel/module.c in current linux
kernel versions (2.4.18/2.5.24) which could cause problems in some
rare situations:

1. A size-check in sys_create_module is off by one. The check reads

if (size < sizeof(struct module)+namelen) {
error = -EINVAL;
goto err1;
}

while a subsequent write to a "size"-long buffer expects one more
byte ("mod" being the buffer pointer of type struct module*):

memcpy((char*)(mod+1), name, namelen+1);

2. In case "struct module" used by insmod is larger than the one used
by the kernel (e.g. newer version), module loading will fail.

This is because sys_create_module initializes the module buffer with

0: struct module
sizeof(struct module): char[] module_name

while sys_init_module copies the insmod-provided "struct module" data into
this buffer, overwriting the adjacent module name with the extra "struct
module" fields. As a result, the following sanity check will fail

if (namelen != n_namelen || strcmp(n_name, mod_tmp.name) != 0) {
printk(KERN_ERR "init_module: changed module name to "
"%s' from %s'\n",
n_name, mod_tmp.name);
goto err3;
}

because mod_tmp.name points to the overwritten module name.

This can be easily fixed using the already existing copy of the module name
in "name_tmp".

Following is the patch implementing these two fixes (diff against 2.4.17,
works for 2.4.18, 2.5.24):

========================================
--- linux-2.4.17/kernel/module.c Sun Nov 11 20:23:14 2001
+++ linux-2.4.17-modfix/kernel/module.c Mon Jul 8 09:50:57 2002
@@ -303,7 +303,7 @@
error = namelen;
goto err0;
}
- if (size < sizeof(struct module)+namelen) {
+ if (size < sizeof(struct module)+namelen+1) {
error = -EINVAL;
goto err1;
}
@@ -482,10 +482,10 @@
error = n_namelen;
goto err2;
}
- if (namelen != n_namelen || strcmp(n_name, mod_tmp.name) != 0) {
+ if (namelen != n_namelen || strcmp(n_name, name_tmp) != 0) {
printk(KERN_ERR "init_module: changed module name to "
"`%s' from `%s'\n",
- n_name, mod_tmp.name);
+ n_name, name_tmp);
goto err3;
}

========================================

Regards,
Peter Oberparleiter
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Andi Kleen: "Re: IPv6 multiple routing tables"
• Previous message: Joe Thornber: "Re: linux 2.5.25 (and LVM)"
• Next in thread: Keith Owens: "Re: [patch] 2.4.18/2.5.24 kernel/module.c - minor bugs"
• Reply: Keith Owens: "Re: [patch] 2.4.18/2.5.24 kernel/module.c - minor bugs"