lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <47a2f0c7-c25f-4734-840b-fdefc2f3c4a9@kernel.org>
Date: Fri, 19 Dec 2025 13:29:21 +0100
From: Matthieu Baerts <matttbe@...nel.org>
To: Kees Cook <kees@...nel.org>, Dan Carpenter <dan.carpenter@...aro.org>
Cc: Rusty Russell <rusty@...tcorp.com.au>, Petr Pavlu <petr.pavlu@...e.com>,
 Daniel Gomez <da.gomez@...nel.org>, Sami Tolvanen <samitolvanen@...gle.com>,
 linux-modules@...r.kernel.org, Hans Verkuil <hverkuil+cisco@...nel.org>,
 Malcolm Priestley <tvboxspy@...il.com>,
 Mauro Carvalho Chehab <mchehab@...nel.org>,
 Hans Verkuil <hverkuil@...nel.org>,
 Uwe Kleine-König <u.kleine-koenig@...gutronix.de>,
 linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
 linux-hardening@...r.kernel.org, Luis Chamberlain <mcgrof@...nel.org>,
 Chris Li <sparse@...isli.org>, linux-sparse@...r.kernel.org
Subject: Re: [PATCH v2 3/3] module: Add compile-time check for embedded NUL
 characters

Hi Kees, Dan,

Sorry to react on an oldish patch, but I have a question about it, see
below.

On 10/10/2025 05:06, Kees Cook wrote:
> Long ago, the kernel module license checks were bypassed by embedding a
> NUL character in the MODULE_LICENSE() string[1]. By using a string like
> "GPL\0proprietary text", the kernel would only read "GPL" due to C string
> termination at the NUL byte, allowing proprietary modules to avoid kernel
> tainting and access GPL-only symbols.
> 
> The MODULE_INFO() macro stores these strings in the .modinfo ELF
> section, and get_next_modinfo() uses strcmp()-family functions
> which stop at the first NUL. This split the embedded string into two
> separate .modinfo entries, with only the first part being processed by
> license_is_gpl_compatible().
> 
> Add a compile-time check using static_assert that compares the full
> string length (sizeof - 1) against __builtin_strlen(), which stops at
> the first NUL. If they differ, compilation fails with a clear error
> message.
> 
> While this check can still be circumvented by modifying the ELF binary
> post-compilation, it prevents accidental embedded NULs and forces
> intentional abuse to require deliberate binary manipulation rather than
> simple source-level tricks.
> 
> Build tested with test modules containing both valid and invalid license
> strings. The check correctly rejects:
> 
>     MODULE_LICENSE("GPL\0proprietary")
> 
> while accepting normal declarations:
> 
>     MODULE_LICENSE("GPL")
> 
> Link: https://lwn.net/Articles/82305/ [1]
> Suggested-by: Rusty Russell <rusty@...tcorp.com.au>
> Signed-off-by: Kees Cook <kees@...nel.org>
> ---
> Cc: Luis Chamberlain <mcgrof@...nel.org>
> Cc: Petr Pavlu <petr.pavlu@...e.com>
> Cc: Daniel Gomez <da.gomez@...nel.org>
> Cc: Sami Tolvanen <samitolvanen@...gle.com>
> Cc: <linux-modules@...r.kernel.org>
> ---
>  include/linux/moduleparam.h | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h
> index 6907aedc4f74..915f32f7d888 100644
> --- a/include/linux/moduleparam.h
> +++ b/include/linux/moduleparam.h
> @@ -26,6 +26,9 @@
>  
>  /* Generic info of form tag = "info" */
>  #define MODULE_INFO(tag, info)					  \
> +	static_assert(						  \
> +		sizeof(info) - 1 == __builtin_strlen(info),	  \
> +		"MODULE_INFO(" #tag ", ...) contains embedded NUL byte"); \

When checking MPTCP code on top of Linus tree, I get this new warning
with all MPTCP KUnit tests (net/mptcp/*_test.c), e.g.

$ touch net/mptcp/crypto_test.c && make C=1 net/mptcp/crypto_test.o
  CC [M]  net/mptcp/crypto_test.o
  CHECK   net/mptcp/crypto_test.c
net/mptcp/crypto_test.c:72:1: error: bad integer constant expression
net/mptcp/crypto_test.c:72:1: error: static assertion failed: "MODULE_INFO(license, ...) contains embedded NUL byte"
net/mptcp/crypto_test.c:73:1: error: bad integer constant expression
net/mptcp/crypto_test.c:73:1: error: static assertion failed: "MODULE_INFO(description, ...) contains embedded NUL byte"


I'm using Sparse last development version with Dan's commit:

$ sparse --version
v0.6.4-73-gfbdde312

=> fbdde312 ("builtin: implement __builtin_strlen() for constants")


And the two lines causing the warnings don't have "\0":

    72  MODULE_LICENSE("GPL");
    73  MODULE_DESCRIPTION("KUnit tests for MPTCP Crypto");


Am I missing something?

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ