Hi,
this patch fixes two minor bugs in kernel/module.c in current linux
kernel versions (2.4.18/2.5.24) which could cause problems in some
rare situations:
1. A size-check in sys_create_module is off by one. The check reads
if (size < sizeof(struct module)+namelen) {
error = -EINVAL;
goto err1;
}
while a subsequent write to a "size"-long buffer expects one more
byte ("mod" being the buffer pointer of type struct module*):
memcpy((char*)(mod+1), name, namelen+1);
2. In case "struct module" used by insmod is larger than the one used
by the kernel (e.g. newer version), module loading will fail.
This is because sys_create_module initializes the module buffer with
0: struct module
sizeof(struct module): char[] module_name
while sys_init_module copies the insmod-provided "struct module" data into
this buffer, overwriting the adjacent module name with the extra "struct
module" fields. As a result, the following sanity check will fail
if (namelen != n_namelen || strcmp(n_name, mod_tmp.name) != 0) {
printk(KERN_ERR "init_module: changed module name to "
"%s' from %s'\n",
n_name, mod_tmp.name);
goto err3;
}
because mod_tmp.name points to the overwritten module name.
This can be easily fixed using the already existing copy of the module name
in "name_tmp".
Following is the patch implementing these two fixes (diff against 2.4.17,
works for 2.4.18, 2.5.24):
========================================
--- linux-2.4.17/kernel/module.c Sun Nov 11 20:23:14 2001
+++ linux-2.4.17-modfix/kernel/module.c Mon Jul 8 09:50:57 2002
@@ -303,7 +303,7 @@
error = namelen;
goto err0;
}
- if (size < sizeof(struct module)+namelen) {
+ if (size < sizeof(struct module)+namelen+1) {
error = -EINVAL;
goto err1;
}
@@ -482,10 +482,10 @@
error = n_namelen;
goto err2;
}
- if (namelen != n_namelen || strcmp(n_name, mod_tmp.name) != 0) {
+ if (namelen != n_namelen || strcmp(n_name, name_tmp) != 0) {
printk(KERN_ERR "init_module: changed module name to "
"`%s' from `%s'\n",
- n_name, mod_tmp.name);
+ n_name, name_tmp);
goto err3;
}
========================================
Regards,
Peter Oberparleiter
On Mon, 8 Jul 2002 10:27:50 +0200,
Peter Oberparleiter <[email protected]> wrote:
>this patch fixes two minor bugs in kernel/module.c in current linux
>kernel versions (2.4.18/2.5.24) which could cause problems in some
>rare situations:
>1. A size-check in sys_create_module is off by one. The check reads
>2. In case "struct module" used by insmod is larger than the one used
>by the kernel (e.g. newer version), module loading will fail.
Looks good. Linus/Marcelo, please apply.
========================================
--- linux-2.4.17/kernel/module.c Sun Nov 11 20:23:14 2001
+++ linux-2.4.17-modfix/kernel/module.c Mon Jul 8 09:50:57 2002
@@ -303,7 +303,7 @@
error = namelen;
goto err0;
}
- if (size < sizeof(struct module)+namelen) {
+ if (size < sizeof(struct module)+namelen+1) {
error = -EINVAL;
goto err1;
}
@@ -482,10 +482,10 @@
error = n_namelen;
goto err2;
}
- if (namelen != n_namelen || strcmp(n_name, mod_tmp.name) != 0) {
+ if (namelen != n_namelen || strcmp(n_name, name_tmp) != 0) {
printk(KERN_ERR "init_module: changed module name to "
"`%s' from `%s'\n",
- n_name, mod_tmp.name);
+ n_name, name_tmp);
goto err3;
}
========================================
>Regards,
> Peter Oberparleiter