Hi,
a segmentation fault occurs if a module has an empty key attached to
its signature.
This happens because it's assumed that at least one key byte is
available, subtracting it in libkmod-module line 2249. This -1 value
is casted to an unsigned data type later on, resulting in illegal
memory access.
Attached please find a proof of concept module, tested on amd64:
tobias:~$ modinfo 0sig.ko
filename: /home/tobias/0sig.ko
Segmentation fault
Tobias
---
libkmod/libkmod-module.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c
index 30f15ca..ca703a7 100644
--- a/libkmod/libkmod-module.c
+++ b/libkmod/libkmod-module.c
@@ -2246,7 +2246,8 @@ KMOD_EXPORT int kmod_module_get_info(const struct kmod_module *mod, struct kmod_
key_hex[i * 3 + 2] = ':';
}
n = kmod_module_info_append(list, "sig_key", strlen("sig_key"),
- key_hex, sig_info.key_id_len * 3 - 1);
+ key_hex, sig_info.key_id_len == 0 ? 0 :
+ sig_info.key_id_len * 3 - 1);
free(key_hex);
if (n == NULL)
goto list_error;
--
2.3.0
Attachment:
0sig.ko
Description: Binary data
