| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6868be4b-86d8-4b62-b545-9ee1c30c0a26@kernel.org>
Date: Mon, 28 Jul 2025 08:43:22 +0200
From: Daniel Gomez <da.gomez@...nel.org>
To: Petr Pavlu <petr.pavlu@...e.com>
Cc: Luis Chamberlain <mcgrof@...nel.org>,
Sami Tolvanen <samitolvanen@...gle.com>, Daniel Gomez
<da.gomez@...sung.com>, linux-modules@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 3/5] module: Restore the moduleparam prefix length check
On 21/07/2025 11.21, Petr Pavlu wrote:
> On 7/17/25 9:23 PM, Daniel Gomez wrote:
>> On 30/06/2025 16.32, Petr Pavlu wrote:
>>> The moduleparam code allows modules to provide their own definition of
>>> MODULE_PARAM_PREFIX, instead of using the default KBUILD_MODNAME ".".
>>>
>>> Commit 730b69d22525 ("module: check kernel param length at compile time,
>>> not runtime") added a check to ensure the prefix doesn't exceed
>>> MODULE_NAME_LEN, as this is what param_sysfs_builtin() expects.
>>>
>>> Later, commit 58f86cc89c33 ("VERIFY_OCTAL_PERMISSIONS: stricter checking
>>> for sysfs perms.") removed this check, but there is no indication this was
>>> intentional.
>>>
>>> Since the check is still useful for param_sysfs_builtin() to function
>>> properly, reintroduce it in __module_param_call(), but in a modernized form
>>> using static_assert().
>>>
>>> While here, clean up the __module_param_call() comments. In particular,
>>> remove the comment "Default value instead of permissions?", which comes
>>> from commit 9774a1f54f17 ("[PATCH] Compile-time check re world-writeable
>>> module params"). This comment was related to the test variable
>>> __param_perm_check_##name, which was removed in the previously mentioned
>>> commit 58f86cc89c33.
>>>
>>> Fixes: 58f86cc89c33 ("VERIFY_OCTAL_PERMISSIONS: stricter checking for sysfs perms.")
>>> Signed-off-by: Petr Pavlu <petr.pavlu@...e.com>
>>> ---
>>> include/linux/moduleparam.h | 5 ++---
>>> 1 file changed, 2 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h
>>> index bfb85fd13e1f..110e9d09de24 100644
>>> --- a/include/linux/moduleparam.h
>>> +++ b/include/linux/moduleparam.h
>>> @@ -282,10 +282,9 @@ struct kparam_array
>>> #define __moduleparam_const const
>>> #endif
>>>
>>> -/* This is the fundamental function for registering boot/module
>>> - parameters. */
>>> +/* This is the fundamental function for registering boot/module parameters. */
>>> #define __module_param_call(prefix, name, ops, arg, perm, level, flags) \
>>> - /* Default value instead of permissions? */ \
>>> + static_assert(sizeof(""prefix) - 1 <= MAX_PARAM_PREFIX_LEN); \
>>
>> Can you clarify if -1 to remove the dot from prefix?
>>
>> Final code
>> static_assert(sizeof(""prefix) - 1 <= __MODULE_NAME_LEN); \
>>
>> with __MODULE_NAME_LEN being:
>>
>> #define __MODULE_NAME_LEN (64 - sizeof(unsigned long))
>
> Correct, -1 is to account for the dot at the end of the prefix.
LGTM,
Reviewed-by: Daniel Gomez <da.gomez@...sung.com>
>
> I actually also wanted to assert that the prefix ends with a dot, but
> unfortunately prefix[sizeof(prefix)-2] (with prefix being a string
> literal) is not a constant expression in C.
>
But even if that would be possible, there are some calls that do not have
a prefix with dot. For example,
#define core_param(name, var, type, perm) \
param_check_##type(name, &(var)); \
__module_param_call("", name, ¶m_ops_##type, &var, perm, -1, 0)
So, you'd have to handle both cases. I mean, where __module_param_call(<prefix>
is used with either MODULE_PARAM_PREFIX or an empty string "".
Powered by blists - more mailing lists