2013-06-12 17:30:03

by Mathias Krause

[permalink] [raw]
Subject: [PATCH] module: don't modify argument of module_kallsyms_lookup_name()

If we pass a pointer to a const string of the form "module:symbol"
module_kallsyms_lookup_name() will try to split the string at the colon,
i.e., will try to modify r/o data. That will, in fact, fail on a kernel
with enabled CONFIG_DEBUG_RODATA.

Avoid modifying the string passed as argument and operate on a copy
instead in case we need to split the string.

Signed-off-by: Mathias Krause <[email protected]>
---
kernel/module.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/kernel/module.c b/kernel/module.c
index cab4bce..5ce0784 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -3557,16 +3557,17 @@ static unsigned long mod_find_symname(struct module *mod, const char *name)
unsigned long module_kallsyms_lookup_name(const char *name)
{
struct module *mod;
- char *colon;
+ char *colon, *mod_name;
unsigned long ret = 0;

/* Don't lock: we're in enough trouble already. */
preempt_disable();
if ((colon = strchr(name, ':')) != NULL) {
- *colon = '\0';
- if ((mod = find_module(name)) != NULL)
+ mod_name = kstrndup(name, colon - name, GFP_ATOMIC);
+ if (mod_name && (mod = find_module(mod_name)) != NULL) {
ret = mod_find_symname(mod, colon+1);
- *colon = ':';
+ kfree(mod_name);
+ }
} else {
list_for_each_entry_rcu(mod, &modules, list) {
if (mod->state == MODULE_STATE_UNFORMED)
--
1.7.10.4


2013-06-14 01:50:21

by Rusty Russell

[permalink] [raw]
Subject: Re: [PATCH] module: don't modify argument of module_kallsyms_lookup_name()

Mathias Krause <[email protected]> writes:
> If we pass a pointer to a const string of the form "module:symbol"
> module_kallsyms_lookup_name() will try to split the string at the colon,
> i.e., will try to modify r/o data. That will, in fact, fail on a kernel
> with enabled CONFIG_DEBUG_RODATA.
>
> Avoid modifying the string passed as argument and operate on a copy
> instead in case we need to split the string.

Wow, this has been there forever.

If we've oopsed because we're OOM, this will fail, so I'd rather not do
that.

How about we add a len arg to find_module_all, like so:

/* Search for module by name: must hold module_mutex. */
static struct module *find_module_all(const char *name,
size_t len,
bool even_unformed)
{
struct module *mod;

list_for_each_entry(mod, &modules, list) {
if (!even_unformed && mod->state == MODULE_STATE_UNFORMED)
continue;
if (strlen(mod->name) == len && !memcmp(mod->name, name, len))
return mod;
}
return NULL;
}

Cheers,
Rusty.