>>>>> "Gregory" == Gregory Maxwell <greg@linuxpower.cx> writes:
Gregory> After seeing the modprobe local root exploit today, I asked
Gregory> myself why kmod executes modprobe with full root and doesn't
Gregory> drop some capabilities first.
Gregory> Why? It wouldn't close the hole, but it would narrow it down.
This might also be a good idea; but my suggestion is to not allow arbitrary
strings as module names in the first place. As far as I can see, all valid
strings for KMOD requests consist of alphanumeric chars plus dash and
underscore. Anybody with autoloaded modules that don't fit this pattern even
after /etc/modules.conf translation please object !
Here's the patch...
Torsten
--- linux/kernel/kmod.c.orig Tue Sep 26 01:18:55 2000
+++ linux/kernel/kmod.c Mon Nov 13 16:57:02 2000
@@ -168,6 +168,22 @@
static atomic_t kmod_concurrent = ATOMIC_INIT(0);
#define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */
static int kmod_loop_msg;
+ const char * p;
+
+ /* For security reasons ensure the requested name consists
+ * only of allowed characters. Especially whitespace and
+ * shell metacharacters might confuse modprobe.
+ */
+ for (p = module_name; *p; p++)
+ {
+ if ((*p & 0xdf) >= 'a' && (*p & 0xdf) <= 'z')
+ continue;
+ if (*p >= '0' && *p <= '9')
+ continue;
+ if (*p == '_' || *p == '-')
+ continue;
+ return -EINVAL;
+ }
/* Don't allow request_module() before the root fs is mounted! */
if ( ! current->fs->root ) {
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Nov 15 2000 - 21:00:23 EST