LinuxLists.cc - [PATCH] Re: Local root exploit with kmod and modutils

2000-11-16 21:57:19

Subject: [PATCH] Re: Local root exploit with kmod and modutils > 2.1.121

Hi,

as modprobe (insmod) args parsing seems POSIX compliant, we should put a
"--" before
what should be interpreted only as a textual argument, not as an option.
This is a lot safer: whatever is passed, modprobe will take it as a module
name.

--- linux-2.4.0-test10/kernel/kmod.c Tue Sep 26 01:18:55 2000
+++ linux/kernel/kmod.c Thu Nov 16 19:57:45 2000
@@ -133,7 +133,7 @@
static int exec_modprobe(void * module_name)
{
static char * envp[] = { "HOME=/", "TERM=linux",
"PATH=/sbin:/usr/sbin:/bin:/usr/bin", NULL };
- char *argv[] = { modprobe_path, "-s", "-k", (char*)module_name,
NULL };
+ char *argv[] = { modprobe_path, "-s", "-k", "--",
(char*)module_name, NULL };
int ret;

ret = exec_usermodehelper(modprobe_path, argv, envp);

2000-11-16 22:30:42

by Keith Owens

[permalink] [raw]

Subject: Re: [PATCH] Re: Local root exploit with kmod and modutils > 2.1.121

On Thu, 16 Nov 2000 22:21:52 +0100,
Xavier Bestel <[email protected]> wrote:
>as modprobe (insmod) args parsing seems POSIX compliant, we should put a
>"--" before
>what should be interpreted only as a textual argument, not as an option.
>This is a lot safer: whatever is passed, modprobe will take it as a module
>name.

That only solves one of the two exploit methods. modutils 2.3.20
solves both without any kernel changes, mainly so it fixes the problem
on all kernels, including 2.2.

2000-11-16 22:49:12

by H. Peter Anvin

[permalink] [raw]

Subject: Re: [PATCH] Re: Local root exploit with kmod and modutils > 2.1.121

Followup to: <[email protected]>
By author: Keith Owens <[email protected]>
In newsgroup: linux.dev.kernel
>
> On Thu, 16 Nov 2000 22:21:52 +0100,
> Xavier Bestel <[email protected]> wrote:
> >as modprobe (insmod) args parsing seems POSIX compliant, we should put a
> >"--" before
> >what should be interpreted only as a textual argument, not as an option.
> >This is a lot safer: whatever is passed, modprobe will take it as a module
> >name.
>
> That only solves one of the two exploit methods. modutils 2.3.20
> solves both without any kernel changes, mainly so it fixes the problem
> on all kernels, including 2.2.
>

However, the kernel change is probably still a good idea.

-hpa
--
<[email protected]> at work, <[email protected]> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt