>
>>The module's name is a relative path, priocntl will search the module file
>>in only /kernel/sched and /usr/kernel/sched/ dirs.
>>but unfortunately, priocntl() never check '../' in pc_clname arg
>>we can use '../../../tmp/module' to make priocntl() load a module from anywhere
>
>
>The "pc_clname[]" argument is limited in size; to prevent this particular
>bug from being exploited you could:
>
>
> for dir in /kernel /usr/kernel
> do
> cd $dir
> mkdir -p a/b/c/d/e/f/g/h
> mv sched a/b/c/d/e/f/g/h
> ln -s a/b/c/d/e/f/g/h/sched .
> done
Just a small amendment; the code also doesn't add a trailing NUL to the
pathname copied from user space, so we actually need to take care
about the rest of the size of the structure. (16 + 32 bytes; i.e.,
16 levels of ../)
So this should really keep the bad kernel module out:
for dir in /kernel /usr/kernel
do
cd $dir
mkdir -p a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p
mv sched a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p
ln -s a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/sched .
done
>
>>The module's name is a relative path, priocntl will search the module file
>>in only /kernel/sched and /usr/kernel/sched/ dirs.
>>but unfortunately, priocntl() never check '../' in pc_clname arg
>>we can use '../../../tmp/module' to make priocntl() load a module from anywhere
>
>
>The "pc_clname[]" argument is limited in size; to prevent this particular
>bug from being exploited you could:
>
>
> for dir in /kernel /usr/kernel
> do
> cd $dir
> mkdir -p a/b/c/d/e/f/g/h
> mv sched a/b/c/d/e/f/g/h
> ln -s a/b/c/d/e/f/g/h/sched .
> done
Just a small amendment; the code also doesn't add a trailing NUL to the
pathname copied from user space, so we actually need to take care
about the rest of the size of the structure. (16 + 32 bytes; i.e.,
16 levels of ../)
So this should really keep the bad kernel module out:
for dir in /kernel /usr/kernel
do
cd $dir
mkdir -p a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p
mv sched a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p
ln -s a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/sched .
done
Casper
[ reply ]