2000-11-14 10:37:52

by David Schleef

[permalink] [raw]
Subject: Re: More modutils: It's probably worse.

On Tue, Nov 14, 2000 at 09:59:22AM +0100, Olaf Kirch wrote:
> On Tue, Nov 14, 2000 at 12:06:32AM +0100, Michal Zalewski wrote:
> > Maybe I am missing something, but at least for me, modprobe
> > vulnerabilities are exploitable via privledged networking services,
> > nothing more.
>
> Maybe not. ncpfs for instance has an ioctl that seems to allow
> unprivileged users to specify a character set (codepage in m$speak)
> that's requested via load_nls(), which in turn does a
>
> sprintf(buf, "nls_%s", codepage);
> request_module(buf);
>
> Yummy.

Then it looks like the driver is broken, not modutils.


> Everyone is fixing modutils right now. Fine, but what about next
> year's modutils rewrite?
>
> This is why I keep repeating over and over again that we should make
> sure request_module _does_not_ accept funky module names. Why allow
> people to shoot themselves (and, by extension, all other Linux users
> out there) in the foot?

Although I agree that having request_module() do a sanity check
is the best place to do a sanity check, I think it should be
up to the driver to not be stupid. The drivers are trusted with
copy_to/from_user(), so why can't they be trusted to not pass
bad strings.

An inline function module_name_sanity_check() would be convenient
for those cases where "it is just necessary."

Rogue request_module() calls are bad in general, not only because
they might have dangerous invalid strings, but also because they
might have dangerous _valid_ strings. I can imagine a
not-too-unlikely scenario where repeatedly loading a module
causes a DoS.




dave...