lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <21423aea-65c3-430e-932d-2ba70b6b9ac3@suse.com>
Date: Tue, 12 Nov 2024 13:56:33 +0100
From: Petr Pavlu <petr.pavlu@...e.com>
To: Song Chen <chensong_2000@....cn>
Cc: mcgrof@...nel.org, samitolvanen@...gle.com, da.gomez@...sung.com,
 linux-kernel@...r.kernel.org, linux-modules@...r.kernel.org
Subject: Re: [PATCH] kmod: verify module name before invoking modprobe

On 11/10/24 12:42, Song Chen wrote:
> Sometimes when kernel calls request_module to load a module
> into kernel space, it doesn't pass the module name appropriately,
> and request_module doesn't verify it as well.
> 
> As a result, modprobe is invoked anyway and spend a lot of time
> searching a nonsense name.
> 
> For example reported from a customer, he runs a user space process
> to call ioctl(fd, SIOCGIFINDEX, &ifr), the callstack in kernel is
> like that:
> dev_ioctl(net/core/dev_iovtl.c)
>   dev_load
>      request_module("netdev-%s", name);
>      or request_module("%s", name);
> 
> However if name of NIC is empty, neither dev_load nor request_module
> checks it at the first place, modprobe will search module "netdev-"
> in its default path, env path and path configured in etc for nothing,
> increase a lot system overhead.
> 
> To address this problem, this patch copies va_list and introduces
> a helper is_module_name_valid to verify the parameters validity
> one by one, either null or empty. if it fails, no modprobe invoked.

I'm not sure if I fully follow why this should be addressed at the
request_module() level. If the user repeatedly invokes SIOCGIFINDEX with
an empty name and this increases their system load, wouldn't it be
better to update the userspace to prevent this non-sense request in the
first place? Similarly, if something should be done in the kernel,
wouldn't it be more straightforward for dev_ioctl()/dev_load() to check
this case?

I think the same should in principle apply to other places that might
invoke request_module() with "%s" and a bogus value. The callers can
appropriately decide if their request makes sense and should be
fixed/improved.

-- 
Thanks,
Petr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ