Date: Mon, 9 Dec 1996 21:21:40 -0800 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: jc@irbs.com (John Capo), freebsd-security@FreeBSD.ORG Subject: Re: L0pht Advisory: modstat (fwd) Message-ID: <199612100521.VAA00670@salsa.gv.ssi1.com> In-Reply-To: jc@irbs.com (John Capo) "Re: L0pht Advisory: modstat (fwd)" (Dec 9, 7:02pm)
next in thread | raw e-mail | index | archive | help
On Dec 9, 7:02pm, John Capo wrote: } Subject: Re: L0pht Advisory: modstat (fwd) } } Modstat does not need to be setgid kmem. Perhaps this is left over } from when groveled around in /dev/kmem. It looks to me like lkmcioctl() is somewhat inconsistent about the module name length, and isn't paranoid enough about NUL termination. The attach patch allows (MAXLKMNAME-1) characters in the name, not including the terminating NUL. Something else to be aware of is that if you load a module with a long enough name, you can't unload it by name. *** kern_lkm.c- Tue Oct 22 04:00:58 1996 --- kern_lkm.c Mon Dec 9 20:46:39 1996 *************** *** 383,389 **** * Copy name and lookup id from all loaded * modules. May fail. */ ! err =copyinstr(unloadp->name, istr, MAXLKMNAME-1, NULL); if (err) break; --- 383,389 ---- * Copy name and lookup id from all loaded * modules. May fail. */ ! err =copyinstr(unloadp->name, istr, MAXLKMNAME, NULL); if (err) break; *************** *** 436,441 **** --- 436,442 ---- * modules. */ copystr(statp->name, istr, MAXLKMNAME-1, NULL); + istr[MAXLKMNAME-1] = '\0'; /* * look up id... */ *************** *** 480,487 **** statp->ver = curp->private.lkm_any->lkm_ver; copystr(curp->private.lkm_any->lkm_name, statp->name, ! MAXLKMNAME - 2, NULL); break; --- 481,489 ---- statp->ver = curp->private.lkm_any->lkm_ver; copystr(curp->private.lkm_any->lkm_name, statp->name, ! MAXLKMNAME - 1, NULL); + statp->name[MAXLKMNAME-1] = '\0'; break; --- Truck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612100521.VAA00670>