From owner-freebsd-bugs Thu Feb 6 00:10:06 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id AAA09280 for bugs-outgoing; Thu, 6 Feb 1997 00:10:06 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id AAA09266; Thu, 6 Feb 1997 00:10:02 -0800 (PST) Resent-Date: Thu, 6 Feb 1997 00:10:02 -0800 (PST) Resent-Message-Id: <199702060810.AAA09266@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, gdonl@tsc.tdk.com Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA09013 for ; Thu, 6 Feb 1997 00:08:57 -0800 (PST) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP id AAA03815 for ; Thu, 6 Feb 1997 00:08:56 -0800 (PST) Received: from w3.gv.tsc.tdk.com (gdonl@w3.gv.tsc.tdk.com [192.168.240.195]) by sunrise.gv.tsc.tdk.com (8.8.4/8.8.4) with ESMTP id AAA13620 for ; Thu, 6 Feb 1997 00:08:55 -0800 (PST) Received: (from gdonl@localhost) by w3.gv.tsc.tdk.com (8.8.5/8.8.4) id AAA01158; Thu, 6 Feb 1997 00:08:54 -0800 (PST) Message-Id: <199702060808.AAA01158@w3.gv.tsc.tdk.com> Date: Thu, 6 Feb 1997 00:08:54 -0800 (PST) From: Don Lewis Reply-To: gdonl@tsc.tdk.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/2675: lkmcioctl() is not consistent and careful with module names Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 2675 >Category: kern >Synopsis: lkmcioctl() is not consistent and careful with module names >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Feb 6 00:10:01 PST 1997 >Last-Modified: >Originator: Don Lewis >Organization: TDK Semiconductor >Release: FreeBSD 2.1.6-internal-0225 i386 >Environment: >Description: lkmcioctl() is not careful in its handling of module names. It calls strcmp() on these names, which may not have been NUL terminated, possibly walking off the ends of arrays. This doesn't look like an exploitable hole, but ... lmkcioctl() is also not consistent in what it thinks the maximum name length is. >How-To-Repeat: Pass an lmc_stat structure to lkmioctl() that contains a non-NUL terminated name and no zero bytes in the rest of the structure. >Fix: Message #7310 (102 lines) The attach patch allows (MAXLKMNAME-1) characters in the name, not including the terminating NUL. Something else to be aware of is that if you load a module with a long enough name, you can't unload it by name. *** kern_lkm.c- Tue Oct 22 04:00:58 1996 --- kern_lkm.c Mon Dec 9 20:46:39 1996 *************** *** 383,389 **** * Copy name and lookup id from all loaded * modules. May fail. */ ! err =copyinstr(unloadp->name, istr, MAXLKMNAME-1, NULL); if (err) break; --- 383,389 ---- * Copy name and lookup id from all loaded * modules. May fail. */ ! err =copyinstr(unloadp->name, istr, MAXLKMNAME, NULL); if (err) break; *************** *** 436,441 **** --- 436,442 ---- * modules. */ copystr(statp->name, istr, MAXLKMNAME-1, NULL); + istr[MAXLKMNAME-1] = '\0'; /* * look up id... */ *************** *** 480,487 **** statp->ver = curp->private.lkm_any->lkm_ver; copystr(curp->private.lkm_any->lkm_name, statp->name, ! MAXLKMNAME - 2, NULL); break; --- 481,489 ---- statp->ver = curp->private.lkm_any->lkm_ver; copystr(curp->private.lkm_any->lkm_name, statp->name, ! MAXLKMNAME - 1, NULL); + statp->name[MAXLKMNAME-1] = '\0'; break; >Audit-Trail: >Unformatted: