Hi, There could be a problem in sys_create_module() when second argument (module size) is very large or negative integer. Large integer will consume memory and halt machine, and negative integer will just segfault process caller (with very odd segfault). Tested on "Linux version 2.4.18-3" with PII 300MHz, 128 MBRAM, and P4 1.60 Ghz with "Linux version 2.4.19-16mdk". The main problem is that there isn't any check for size of memory that will be allocated with module_map() (vmalloc). This code will halt my machine: ------- #include <linux/module.h> #include <stdio.h> main (int argc, char **argv) { int x; x = create_module ("AAA",123123123); } ------- Test with second argument '-1': ------- sh-2.05b# gdb ./a.out GNU gdb 5.2.1-2mdk (Mandrake Linux) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandrake-linux-gnu"... (gdb) r Starting program: /home/ljuranic/a.out Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. (gdb) ------ I think that problem is in this code: /usr/src/linux-2.4/kernel/module.c: -------------------- asmlinkage unsigned long sys_create_module(const char *name_user, size_t size) { ... if ((mod = (struct module *)module_map(size)) == NULL) { error = -ENOMEM; goto err1; } ... } -------------------- asm-i386/module.h:#define module_map(x) vmalloc(x) I think that this isn't a security problem, because only root can invoke create_module(). This could be dangerous in some suid-root program, but not IRL :) Regards, Leon Juranic
Well, the code changed now, and there is a length check on the length in load_module(). This report might have helped developers who were refactoring the code for this module - thanks Leon! Would you agree we can close the bug now.