2000-11-14 10:37:52[permalink] [raw]
On Tue, Nov 14, 2000 at 09:59:22AM +0100, Olaf Kirch wrote:
> On Tue, Nov 14, 2000 at 12:06:32AM +0100, Michal Zalewski wrote:
> > Maybe I am missing something, but at least for me, modprobe
> > vulnerabilities are exploitable via privledged networking services,
> > nothing more.
> Maybe not. ncpfs for instance has an ioctl that seems to allow
> unprivileged users to specify a character set (codepage in m$speak)
> that's requested via load_nls(), which in turn does a
> sprintf(buf, "nls_%s", codepage);
Then it looks like the driver is broken, not modutils.
> Everyone is fixing modutils right now. Fine, but what about next
> year's modutils rewrite?
> This is why I keep repeating over and over again that we should make
> sure request_module _does_not_ accept funky module names. Why allow
> people to shoot themselves (and, by extension, all other Linux users
> out there) in the foot?
Although I agree that having request_module() do a sanity check
is the best place to do a sanity check, I think it should be
up to the driver to not be stupid. The drivers are trusted with
copy_to/from_user(), so why can't they be trusted to not pass
An inline function module_name_sanity_check() would be convenient
for those cases where "it is just necessary."
Rogue request_module() calls are bad in general, not only because
they might have dangerous invalid strings, but also because they
might have dangerous _valid_ strings. I can imagine a
not-too-unlikely scenario where repeatedly loading a module
causes a DoS.