From: Keith Owens <kaos@ocs.com.au>
To: linux-kernel@vger.kernel.org
Subject: Re: More modutils: It's probably worse.
Date: Wed, 15 Nov 2000 10:27:43 +1100 [thread overview]
Message-ID: <11900.974244463@ocs3.ocs-net> (raw)
In-Reply-To: Your message of "14 Nov 2000 11:42:42 -0800." <8us4ji$dbl$1@cesium.transmeta.com>
On 14 Nov 2000 11:42:42 -0800,
"H. Peter Anvin" <hpa@zytor.com> wrote:
>Seriously, though, I don't see any reason modprobe shouldn't accept
>funky filenames. There is a standard way to do that, which is to have
>an argument consisting of the string "--"; this indicates that any
>further arguments should be considered filenames and not options.
The original exploit had nothing to do with filenames masquerading as
options, it was: ping6 -I ';chmod o+w .'. Then somebody pointed out
that -I '-C/my/config/file' could be abused as well. '--' fixes the
second exploit but not the first.
The problem is the combination of kernel code passing user space
parameters through unchanged (promoting user input to root) plus the
modprobe meta expansion algorithm. By treating the last parameter from
the kernel as a tainted module name (not an option) and suppressing
meta expansion on tainted parameters, modprobe removes enough of the
problem to be safe.
My changes to modprobe do nothing about this: "ping6 -I binfmt_misc".
That construct lets a user load any module. However that is a pure
kernel problem which needs to be fixed by the developers who call
request_module.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
next prev parent reply other threads:[~2000-11-14 23:58 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <Pine.LNX.4.21.0011132040160.1699-100000@ferret.lmh.ox.ac.uk>
[not found] ` <Pine.LNX.4.21.0011132352550.31869-100000@dione.ids.pl>
2000-11-14 8:59 ` More modutils: It's probably worse Olaf Kirch
2000-11-14 10:04 ` David Schleef
2000-11-14 10:29 ` Guest section DW
2000-11-14 10:38 ` Olaf Kirch
2000-11-14 19:20 ` Ben Ford
2000-11-14 20:24 ` Michael H. Warfield
2000-11-14 19:42 ` H. Peter Anvin
2000-11-14 23:27 ` Keith Owens [this message]
2000-11-15 10:43 ` Olaf Titz
2000-11-15 11:17 ` Tim Waugh
2000-11-16 4:31 ` Keith Owens
2000-11-17 0:48 ` Rusty Russell
2000-11-14 12:47 Petr Vandrovec
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=11900.974244463@ocs3.ocs-net \
--to=kaos@ocs.com.au \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox