Date: Thu, 6 Feb 1997 00:08:54 -0800 (PST) From: Don Lewis <Don.Lewis@tsc.tdk.com> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/2675: lkmcioctl() is not consistent and careful with module names Message-ID: <199702060808.AAA01158@w3.gv.tsc.tdk.com> Resent-Message-ID: <199702060810.AAA09266@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 2675 >Category: kern >Synopsis: lkmcioctl() is not consistent and careful with module names >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Feb 6 00:10:01 PST 1997 >Last-Modified: >Originator: Don Lewis >Organization: TDK Semiconductor >Release: FreeBSD 2.1.6-internal-0225 i386 >Environment: >Description: lkmcioctl() is not careful in its handling of module names. It calls strcmp() on these names, which may not have been NUL terminated, possibly walking off the ends of arrays. This doesn't look like an exploitable hole, but ... lmkcioctl() is also not consistent in what it thinks the maximum name length is. >How-To-Repeat: Pass an lmc_stat structure to lkmioctl() that contains a non-NUL terminated name and no zero bytes in the rest of the structure. >Fix: Message #7310 (102 lines) The attach patch allows (MAXLKMNAME-1) characters in the name, not including the terminating NUL. Something else to be aware of is that if you load a module with a long enough name, you can't unload it by name. *** kern_lkm.c- Tue Oct 22 04:00:58 1996 --- kern_lkm.c Mon Dec 9 20:46:39 1996 *************** *** 383,389 **** * Copy name and lookup id from all loaded * modules. May fail. */ ! err =copyinstr(unloadp->name, istr, MAXLKMNAME-1, NULL); if (err) break; --- 383,389 ---- * Copy name and lookup id from all loaded * modules. May fail. */ ! err =copyinstr(unloadp->name, istr, MAXLKMNAME, NULL); if (err) break; *************** *** 436,441 **** --- 436,442 ---- * modules. */ copystr(statp->name, istr, MAXLKMNAME-1, NULL); + istr[MAXLKMNAME-1] = '\0'; /* * look up id... */ *************** *** 480,487 **** statp->ver = curp->private.lkm_any->lkm_ver; copystr(curp->private.lkm_any->lkm_name, statp->name, ! MAXLKMNAME - 2, NULL); break; --- 481,489 ---- statp->ver = curp->private.lkm_any->lkm_ver; copystr(curp->private.lkm_any->lkm_name, statp->name, ! MAXLKMNAME - 1, NULL); + statp->name[MAXLKMNAME-1] = '\0'; break; >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702060808.AAA01158>