Re: More modutils: It's probably worse.

[David Schleef <ds@stm.lbl.gov>]

On Tue, Nov 14, 2000 at 09:59:22AM +0100, Olaf Kirch wrote:
> On Tue, Nov 14, 2000 at 12:06:32AM +0100, Michal Zalewski wrote:
> > Maybe I am missing something, but at least for me, modprobe
> > vulnerabilities are exploitable via privledged networking services,
> > nothing more.
> 
> Maybe not. ncpfs for instance has an ioctl that seems to allow
> unprivileged users to specify a character set (codepage in m$speak)
> that's requested via load_nls(), which in turn does a
> 
> 	sprintf(buf, "nls_%s", codepage);
> 	request_module(buf);
> 
> Yummy.

Then it looks like the driver is broken, not modutils.


> Everyone is fixing modutils right now. Fine, but what about next
> year's modutils rewrite?
> 
> This is why I keep repeating over and over again that we should make
> sure request_module _does_not_ accept funky module names. Why allow
> people to shoot themselves (and, by extension, all other Linux users
> out there) in the foot?

Although I agree that having request_module() do a sanity check
is the best place to do a sanity check, I think it should be
up to the driver to not be stupid.  The drivers are trusted with
copy_to/from_user(), so why can't they be trusted to not pass
bad strings.

An inline function module_name_sanity_check() would be convenient
for those cases where "it is just necessary."

Rogue request_module() calls are bad in general, not only because
they might have dangerous invalid strings, but also because they
might have dangerous _valid_ strings.  I can imagine a
not-too-unlikely scenario where repeatedly loading a module
causes a DoS.




dave...


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/