| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <524b444f-4b81-4005-b93a-39b7d3fd3db1@189.cn>
Date: Wed, 13 Nov 2024 10:15:19 +0800
From: Song Chen <chensong_2000@....cn>
To: Petr Pavlu <petr.pavlu@...e.com>
Cc: mcgrof@...nel.org, samitolvanen@...gle.com, da.gomez@...sung.com,
linux-kernel@...r.kernel.org, linux-modules@...r.kernel.org
Subject: Re: [PATCH] kmod: verify module name before invoking modprobe
Hi Petr,
Please see my inline comments, many thanks.
BR
Song
在 2024/11/12 20:56, Petr Pavlu 写道:
> On 11/10/24 12:42, Song Chen wrote:
>> Sometimes when kernel calls request_module to load a module
>> into kernel space, it doesn't pass the module name appropriately,
>> and request_module doesn't verify it as well.
>>
>> As a result, modprobe is invoked anyway and spend a lot of time
>> searching a nonsense name.
>>
>> For example reported from a customer, he runs a user space process
>> to call ioctl(fd, SIOCGIFINDEX, &ifr), the callstack in kernel is
>> like that:
>> dev_ioctl(net/core/dev_iovtl.c)
>> dev_load
>> request_module("netdev-%s", name);
>> or request_module("%s", name);
>>
>> However if name of NIC is empty, neither dev_load nor request_module
>> checks it at the first place, modprobe will search module "netdev-"
>> in its default path, env path and path configured in etc for nothing,
>> increase a lot system overhead.
>>
>> To address this problem, this patch copies va_list and introduces
>> a helper is_module_name_valid to verify the parameters validity
>> one by one, either null or empty. if it fails, no modprobe invoked.
>
> I'm not sure if I fully follow why this should be addressed at the
> request_module() level. If the user repeatedly invokes SIOCGIFINDEX with
> an empty name and this increases their system load, wouldn't it be
> better to update the userspace to prevent this non-sense request in the
> first place?
If the user process knew, it wouldn't make the mistake. moreover, what
happened in dev_load was quite confusing, please see the code below:
no_module = !dev;
if (no_module && capable(CAP_NET_ADMIN))
no_module = request_module("netdev-%s", name);
if (no_module && capable(CAP_SYS_MODULE))
request_module("%s", name);
Running the same process, sys admin or root user spends more time than
normal user, it took a while for us to find the cause, that's why i
tried to fix it in kernel.
Similarly, if something should be done in the kernel,
> wouldn't it be more straightforward for dev_ioctl()/dev_load() to check
> this case?
I thought about it at the beginning, not only dev_ioctl/dev_load but
also other request_module callers should check this case as well, that
would be too much effort, then I switched to check it at the beginning
of request_module which every caller goes through.
>
> I think the same should in principle apply to other places that might
> invoke request_module() with "%s" and a bogus value. The callers can
> appropriately decide if their request makes sense and should be
> fixed/improved.
>
Callees are obliged to do fault tolerance for callers, or at least let
them know what is going on inside, what kinds of mistake they are
making, there are a lot of such cases in kernel, such as call_modprobe
in kernel/module/kmod.c, it checks if orig_module_name is NULL.
Song
Powered by blists - more mailing lists