[PATCH] Fix segmentation fault on empty signature key

[PATCH] Fix segmentation fault on empty signature key

[Tobias Stoeckmann]

[-- Attachment #1: Type: text/plain, Size: 1104 bytes --]

Hi,

a segmentation fault occurs if a module has an empty key attached to
its signature.

This happens because it's assumed that at least one key byte is
available, subtracting it in libkmod-module line 2249.  This -1 value
is casted to an unsigned data type later on, resulting in illegal
memory access.

Attached please find a proof of concept module, tested on amd64:

tobias:~$ modinfo 0sig.ko
filename:       /home/tobias/0sig.ko
Segmentation fault

Tobias
---
 libkmod/libkmod-module.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c
index 30f15ca..ca703a7 100644
--- a/libkmod/libkmod-module.c
+++ b/libkmod/libkmod-module.c
@@ -2246,7 +2246,8 @@ KMOD_EXPORT int kmod_module_get_info(const struct kmod_module *mod, struct kmod_
 				key_hex[i * 3 + 2] = ':';
 		}
 		n = kmod_module_info_append(list, "sig_key", strlen("sig_key"),
-				key_hex, sig_info.key_id_len * 3 - 1);
+				key_hex, sig_info.key_id_len == 0 ? 0 :
+				sig_info.key_id_len * 3 - 1);
 		free(key_hex);
 		if (n == NULL)
 			goto list_error;
-- 
2.3.0


[-- Attachment #2: 0sig.ko --]
[-- Type: application/octet-stream, Size: 336 bytes --]

Re: [PATCH] Fix segmentation fault on empty signature key

[Lucas De Marchi]

On Sat, Feb 14, 2015 at 9:34 PM, Tobias Stoeckmann
<tobias@stoeckmann.org> wrote:
> Hi,
>
> a segmentation fault occurs if a module has an empty key attached to
> its signature.
>
> This happens because it's assumed that at least one key byte is
> available, subtracting it in libkmod-module line 2249.  This -1 value
> is casted to an unsigned data type later on, resulting in illegal
> memory access.
>
> Attached please find a proof of concept module, tested on amd64:
>
> tobias:~$ modinfo 0sig.ko
> filename:       /home/tobias/0sig.ko
> Segmentation fault

Same here, please also send the source code of the module. Even if for
actually testing this behavior we have to ship a pre-compiled module,
I want all the modules in the testsuite to have its source code in the
testsuite to avoid license issues.


-- 
Lucas De Marchi

Re: [PATCH] Fix segmentation fault on empty signature key

[Lucas De Marchi]

On Sat, Feb 14, 2015 at 9:34 PM, Tobias Stoeckmann
<tobias@stoeckmann.org> wrote:
> Hi,
>
> a segmentation fault occurs if a module has an empty key attached to
> its signature.
>
> This happens because it's assumed that at least one key byte is
> available, subtracting it in libkmod-module line 2249.  This -1 value
> is casted to an unsigned data type later on, resulting in illegal
> memory access.
>
> Attached please find a proof of concept module, tested on amd64:
>
> tobias:~$ modinfo 0sig.ko
> filename:       /home/tobias/0sig.ko
> Segmentation fault
>
> Tobias
> ---
>  libkmod/libkmod-module.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c
> index 30f15ca..ca703a7 100644
> --- a/libkmod/libkmod-module.c
> +++ b/libkmod/libkmod-module.c
> @@ -2246,7 +2246,8 @@ KMOD_EXPORT int kmod_module_get_info(const struct kmod_module *mod, struct kmod_
>                                 key_hex[i * 3 + 2] = ':';
>                 }
>                 n = kmod_module_info_append(list, "sig_key", strlen("sig_key"),
> -                               key_hex, sig_info.key_id_len * 3 - 1);
> +                               key_hex, sig_info.key_id_len == 0 ? 0 :
> +                               sig_info.key_id_len * 3 - 1);

This one I prefer changing kmod_module_signature_info() to do the
right thing. This is because a 0 len signature is not a valid
signature and I prefer outputting nothing in modinfo rather than a
bogus signature.

Just pushed a commit changing kmod_module_signature_info(). Please
take a look if it fixes your issue.

thanks

-- 
Lucas De Marchi