| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200313005710.GQ11244@42.do-not-panic.com>
Date: Fri, 13 Mar 2020 00:57:10 +0000
From: Luis Chamberlain <mcgrof@...nel.org>
To: Eric Biggers <ebiggers@...nel.org>
Cc: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
Alexei Starovoitov <ast@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Jeff Vander Stoep <jeffv@...gle.com>,
Jessica Yu <jeyu@...nel.org>,
Kees Cook <keescook@...omium.org>, NeilBrown <neilb@...e.com>,
stable@...r.kernel.org
Subject: Re: [PATCH v2 1/4] kmod: make request_module() return an error when
autoloading is disabled
On Thu, Mar 12, 2020 at 01:25:49PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@...gle.com>
>
> It's long been possible to disable kernel module autoloading completely
> (while still allowing manual module insertion) by setting
> /proc/sys/kernel/modprobe to the empty string. This can be preferable
> to setting it to a nonexistent file since it avoids the overhead of an
> attempted execve(), avoids potential deadlocks, and avoids the call to
> security_kernel_module_request() and thus on SELinux-based systems
> eliminates the need to write SELinux rules to dontaudit module_request.
>
> However, when module autoloading is disabled in this way,
> request_module() returns 0. This is broken because callers expect 0 to
> mean that the module was successfully loaded.
>
> Apparently this was never noticed because this method of disabling
> module autoloading isn't used much, and also most callers don't use the
> return value of request_module() since it's always necessary to check
> whether the module registered its functionality or not anyway. But
> improperly returning 0 can indeed confuse a few callers, for example
> get_fs_type() in fs/filesystems.c where it causes a WARNING to be hit:
>
> if (!fs && (request_module("fs-%.*s", len, name) == 0)) {
> fs = __get_fs_type(name, len);
> WARN_ONCE(!fs, "request_module fs-%.*s succeeded, but still no fs?\n", len, name);
> }
>
> This is easily reproduced with:
>
> echo > /proc/sys/kernel/modprobe
> mount -t NONEXISTENT none /
>
> It causes:
>
> request_module fs-NONEXISTENT succeeded, but still no fs?
> WARNING: CPU: 1 PID: 1106 at fs/filesystems.c:275 get_fs_type+0xd6/0xf0
> [...]
>
> This should actually use pr_warn_once() rather than WARN_ONCE(), since
> it's also user-reachable if userspace immediately unloads the module.
> Regardless, request_module() should correctly return an error when it
> fails. So let's make it return -ENOENT, which matches the error when
> the modprobe binary doesn't exist.
>
> I've also sent patches to document and test this case.
>
> Cc: stable@...r.kernel.org
> Cc: Alexei Starovoitov <ast@...nel.org>
> Cc: Andrew Morton <akpm@...ux-foundation.org>
> Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> Cc: Jeff Vander Stoep <jeffv@...gle.com>
> Cc: Jessica Yu <jeyu@...nel.org>
> Cc: Kees Cook <keescook@...omium.org>
> Cc: Luis Chamberlain <mcgrof@...nel.org>
> Cc: NeilBrown <neilb@...e.com>
> Signed-off-by: Eric Biggers <ebiggers@...gle.com>
Acked-by: Luis Chamberlain <mcgrof@...nel.org>
Luis
Powered by blists - more mailing lists