Hi, a segmentation fault occurs if a module has an empty key attached to its signature. This happens because it's assumed that at least one key byte is available, subtracting it in libkmod-module line 2249. This -1 value is casted to an unsigned data type later on, resulting in illegal memory access. Attached please find a proof of concept module, tested on amd64: tobias:~$ modinfo 0sig.ko filename: /home/tobias/0sig.ko Segmentation fault Tobias --- libkmod/libkmod-module.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c index 30f15ca..ca703a7 100644 --- a/libkmod/libkmod-module.c +++ b/libkmod/libkmod-module.c @@ -2246,7 +2246,8 @@ KMOD_EXPORT int kmod_module_get_info(const struct kmod_module *mod, struct kmod_ key_hex[i * 3 + 2] = ':'; } n = kmod_module_info_append(list, "sig_key", strlen("sig_key"), - key_hex, sig_info.key_id_len * 3 - 1); + key_hex, sig_info.key_id_len == 0 ? 0 : + sig_info.key_id_len * 3 - 1); free(key_hex); if (n == NULL) goto list_error; -- 2.3.0
Attachment:
0sig.ko
Description: Binary data