> >>The module's name is a relative path, priocntl will search the module file >>in only /kernel/sched and /usr/kernel/sched/ dirs. >>but unfortunately, priocntl() never check '../' in pc_clname arg >>we can use '../../../tmp/module' to make priocntl() load a module from anywhere > > >The "pc_clname[]" argument is limited in size; to prevent this particular >bug from being exploited you could: > > > for dir in /kernel /usr/kernel > do > cd $dir > mkdir -p a/b/c/d/e/f/g/h > mv sched a/b/c/d/e/f/g/h > ln -s a/b/c/d/e/f/g/h/sched . > done Just a small amendment; the code also doesn't add a trailing NUL to the pathname copied from user space, so we actually need to take care about the rest of the size of the structure. (16 + 32 bytes; i.e., 16 levels of ../) So this should really keep the bad kernel module out: for dir in /kernel /usr/kernel do cd $dir mkdir -p a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p mv sched a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p ln -s a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/sched . done Casper
