lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <s5haazv1sw5.wl%tiwai@suse.de>
Date:	Tue, 13 Oct 2009 12:37:46 +0200
From:	Takashi Iwai <tiwai@...e.de>
To:	Rusty Russell <rusty@...tcorp.com.au>
Cc:	linux-kernel@...r.kernel.org
Subject: Problems with string (charp) module parameters

Hi Rusty,

While I tried to add some debug option to a driver, I found that a module
parameter taking a string (charp) gives Oops when set via sysfs:

 BUG: unable to handle kernel paging request at ffffffff814c8d8a
 IP: [<ffffffff8107b1ec>] param_set_charp+0x89/0xd0
 PGD 1003067 PUD 1007063 PMD 11c10d063 PTE 80000000014c8161
 Oops: 0003 [#1] SMP 
 ...
 Call Trace:
  [<ffffffff8107a711>] param_attr_store+0x31/0x56
  [<ffffffff8107a7b5>] module_attr_store+0x34/0x4c
  [<ffffffff8117e300>] sysfs_write_file+0x101/0x151
  [<ffffffff8111bf0c>] vfs_write+0xbc/0x195
  [<ffffffff8134fb23>] ? do_page_fault+0x2e5/0x345
  [<ffffffff8111c0d0>] sys_write+0x54/0x8f
  [<ffffffff81011e82>] system_call_fastpath+0x16/0x1b

This seems happening only with a built-in driver, not with a module.
The Oops appears at line 227 in kernel/params.c (as of 2.6.32-rc4),

	if (slab_is_available()) {
==>		kp->flags |= KPARAM_KMALLOCED;
		*(char **)kp->arg = kstrdup(val, GFP_KERNEL);
		if (!kp->arg)
			return -ENOMEM;

Puzzling.  So I looked into the relevant code, and found some deeper
problems.

* Each struct kernel_param instance is defined as const, and is put
  into __param section, which is read-only.
  I guess this causes the page fault above.  And...

* The above NULL check is invalid.  It should be
		if (!*(char **)kp->arg)
			return -ENOMEM
  This is easy, however...

* The handling of parameter array is pretty buggy now.
  kp->perm and kp->flags aren't properly initialized in
  param_array().  Thus, you might call kfree() with invalid pointers,
  or pass a wrong type for bool.

The first item was overlooked because there was no writable field
before the kmalloc'ed string was introduced.  And, the current code
still works somehow for charp with param_array() just because a struct
kernel_param on stack is used there.  But, this is also a buggy
implementation due to the third point.  We didn't hint a bug because
the charp array contain usually NULL.

So, the situation looks messy right now, not only about the section
issue.  If we allow kmalloc of each parameter array element, the flag
must be associated to each element, not a global one to the array.

Thoughts?


thanks,

Takashi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ