Re: [CHECKER] Probable security holes in 2.6.5
From: Chris Wright
Date: Fri Apr 16 2004 - 14:30:09 EST
> [BUG]
> /home/kash/linux/linux-2.6.5/kernel/module.c:1303:load_module:
> ERROR:TAINT: 1283:1303:Using user value "((*hdr).e_shstrndx * 0)"
> without first performing bounds checks
> [SOURCE_MODEL=(lib,copy_from_user,user,taintscalar)] [PATH=]
>
> /* Suck in entire file: we'll want most of it. */
> /* vmalloc barfs on "unusual" numbers. Check here */
> if (len > 64 * 1024 * 1024 || (hdr = vmalloc(len)) == NULL)
> return ERR_PTR(-ENOMEM);
> Start --->
> if (copy_from_user(hdr, umod, len) != 0) {
>
> ... DELETED 14 lines ...
>
> if (len < hdr->e_shoff + hdr->e_shnum * sizeof(Elf_Shdr))
> goto truncated;
>
> /* Convenience variables */
> sechdrs = (void *)hdr + hdr->e_shoff;
> Error --->
> secstrings = (void *)hdr + sechdrs[hdr->e_shstrndx].sh_offset;
> sechdrs[0].sh_addr = 0;
>
> /* And these should exist, but gcc whinges if we don't init them */
Loading modules is inherently risky. I'm not sure how much we want to
worry about malicious elf headers when loading a module...you've already
given away the family jewels ;-)
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/