On Sat, Feb 14, 2015 at 9:35 PM, Tobias Stoeckmann <tobias@xxxxxxxxxxxxxx> wrote: > Hi, > > if kmod has been configured with --disable-largefile on a 32 bit > system, off_t will be 32 bit. In that case, the parsed sig_len can > bypass a validation check (it's _unsigned_ 32 bit), allowing a > an attacker to perform out of boundary access through a malicious module. There's no "validation check" in kmod. This is done by the kernel, no the userspace tools. The fix looks correct, but not the assumption this is a security risk. modinfo is only used to get information from the module and the only bad thing that can happen is it crashing. > Due to the unlikeliness of people using --disable-largefile, this is > a mere validation fix. With an explicit signed 64 bit cast, there is > no binary change for 99.9% of Linux systems out there. ;) > > Attached please find a proof of concept, which will most likely result in > a segmentation fault (works fine with 64 bit off_t builds): Is it "most likely" or is it certain to get a segfault? Could you send the source code of this module so I can add it to the testsuite? I realize you had to poke the module after it was compiled in order to corrupt it to produce segfaults, then send the command you use, too. thanks Lucas De Marchi -- To unsubscribe from this list: send the line "unsubscribe linux-modules" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
