From: Rusty Russell <rusty@linuxcare.com.au>
To: Keith Owens <kaos@ocs.com.au>
Cc: linux-kernel@vger.kernel.org, torvalds@transmeta.com
Subject: Re: More modutils: It's probably worse.
Date: Fri, 17 Nov 2000 11:48:30 +1100 [thread overview]
Message-ID: <20001117004830.ABA3B813F@halfway.linuxcare.com.au> (raw)
In-Reply-To: Your message of "Wed, 15 Nov 2000 10:27:43 +1100." <11900.974244463@ocs3.ocs-net>
In message <11900.974244463@ocs3.ocs-net> you write:
> On 14 Nov 2000 11:42:42 -0800,
> "H. Peter Anvin" <hpa@zytor.com> wrote:
> >Seriously, though, I don't see any reason modprobe shouldn't accept
> >funky filenames. There is a standard way to do that, which is to have
> >an argument consisting of the string "--"; this indicates that any
> >further arguments should be considered filenames and not options.
>
> The original exploit had nothing to do with filenames masquerading as
> options, it was: ping6 -I ';chmod o+w .'. Then somebody pointed out
> that -I '-C/my/config/file' could be abused as well. '--' fixes the
> second exploit but not the first.
Yes, modprobe code is stupid (execing insmod without "--"). Of
course, the passing of flags to modprobe is pretty broken too (the
kernel shouldn't assume anything about modprobe, otherwise why bother
with the /proc entry?)
But the kernel should be fixed for future:
--- working-2.4.0-test11-5/kernel/kmod.c.~1~ Wed Oct 4 15:17:12 2000
+++ working-2.4.0-test11-5/kernel/kmod.c Fri Nov 17 11:44:09 2000
@@ -133,7 +133,7 @@
static int exec_modprobe(void * module_name)
{
static char * envp[] = { "HOME=/", "TERM=linux", "PATH=/sbin:/usr/sbin:/bin:/usr/bin", NULL };
- char *argv[] = { modprobe_path, "-s", "-k", (char*)module_name, NULL };
+ char *argv[] = { modprobe_path, "-s", "-k", "--", (char*)module_name, NULL };
int ret;
ret = exec_usermodehelper(modprobe_path, argv, envp);
--
Hacking time.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
next prev parent reply other threads:[~2000-11-17 1:19 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <Pine.LNX.4.21.0011132040160.1699-100000@ferret.lmh.ox.ac.uk>
[not found] ` <Pine.LNX.4.21.0011132352550.31869-100000@dione.ids.pl>
2000-11-14 8:59 ` More modutils: It's probably worse Olaf Kirch
2000-11-14 10:04 ` David Schleef
2000-11-14 10:29 ` Guest section DW
2000-11-14 10:38 ` Olaf Kirch
2000-11-14 19:20 ` Ben Ford
2000-11-14 20:24 ` Michael H. Warfield
2000-11-14 19:42 ` H. Peter Anvin
2000-11-14 23:27 ` Keith Owens
2000-11-15 10:43 ` Olaf Titz
2000-11-15 11:17 ` Tim Waugh
2000-11-16 4:31 ` Keith Owens
2000-11-17 0:48 ` Rusty Russell [this message]
2000-11-14 12:47 Petr Vandrovec
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20001117004830.ABA3B813F@halfway.linuxcare.com.au \
--to=rusty@linuxcare.com.au \
--cc=kaos@ocs.com.au \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@transmeta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox