Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S263624AbUDPT16 (ORCPT ); Fri, 16 Apr 2004 15:27:58 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S263613AbUDPT15 (ORCPT ); Fri, 16 Apr 2004 15:27:57 -0400 Received: from fw.osdl.org ([65.172.181.6]:13738 "EHLO mail.osdl.org") by vger.kernel.org with ESMTP id S263624AbUDPT1p (ORCPT ); Fri, 16 Apr 2004 15:27:45 -0400 Date: Fri, 16 Apr 2004 12:27:33 -0700 From: Chris Wright To: Ken Ashcraft Cc: linux-kernel@vger.kernel.org, mc@cs.stanford.edu, rusty@rustcorp.com.au Subject: Re: [CHECKER] Probable security holes in 2.6.5 Message-ID: <20040416122733.Z22989@build.pdx.osdl.net> References: <1082134916.19301.7.camel@dns.coverity.int> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <1082134916.19301.7.camel@dns.coverity.int>; from ken@coverity.com on Fri, Apr 16, 2004 at 10:01:57AM -0700 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1401 Lines: 39 > [BUG] > /home/kash/linux/linux-2.6.5/kernel/module.c:1303:load_module: > ERROR:TAINT: 1283:1303:Using user value "((*hdr).e_shstrndx * 0)" > without first performing bounds checks > [SOURCE_MODEL=(lib,copy_from_user,user,taintscalar)] [PATH=] > > /* Suck in entire file: we'll want most of it. */ > /* vmalloc barfs on "unusual" numbers. Check here */ > if (len > 64 * 1024 * 1024 || (hdr = vmalloc(len)) == NULL) > return ERR_PTR(-ENOMEM); > Start ---> > if (copy_from_user(hdr, umod, len) != 0) { > > ... DELETED 14 lines ... > > if (len < hdr->e_shoff + hdr->e_shnum * sizeof(Elf_Shdr)) > goto truncated; > > /* Convenience variables */ > sechdrs = (void *)hdr + hdr->e_shoff; > Error ---> > secstrings = (void *)hdr + sechdrs[hdr->e_shstrndx].sh_offset; > sechdrs[0].sh_addr = 0; > > /* And these should exist, but gcc whinges if we don't init them */ Loading modules is inherently risky. I'm not sure how much we want to worry about malicious elf headers when loading a module...you've already given away the family jewels ;-) thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/