search

kmod-project / kmod

kmod - Linux kernel module handling
GNU Lesser General Public License v2.1
50 stars 39 forks source link

libkmod: Verify that symbol names in ELF files are NUL-terminated #222

Closed stoeckmann closed 3 weeks ago

stoeckmann commented 4 weeks ago

We have to verify that symbol names are NUL-terminated, i.e. use strnlen instead of strlen, especially before calling streq.

Proof of Concept (ideally, compile with ASAN):

  1. Create a module with an unterminated symbol name

    cat > poc.ko.zst.b64 << EOF
KLUv/WQAD3UDABQEf0VMRgICABERIiIzMzMzRFUAQHd3d3eIiJmZqqoAQAADAAERAAAACCIzAAEA
C2ZmZmaZDEBfX3ZlcnNpb25zQUIUIFADLXEDsIYvhM89CCM4cnnoZbcR83mE/9ATG3MnjN9ZCcpg
iHzzKaoRVssS5Q==
EOF
base64 -d poc.ko.zst.b64 > poc.ko.zst

  2. Try to show modversion information

    modprobe --show-modversions poc.ko.zst

If you do not compile with ASAN, uncompress poc.ko.zst so mmap will be called. Most likely you see invalid data or encounter a crash.

stoeckmann commented 3 weeks ago

Not sure if coffee has kicked in yet, but we seem to be missing step 2 in the reproducer.

Step 2 involved uncompressing the module. But it's much nicer to see ASAN stepping in instead of having random effects with out of bounds reads on memory-mapped edges.

Forgot to adjust number 3 after removing it and adding it as a note instead.

stoeckmann commented 3 weeks ago

elf_get_modversion_lengths

Chose this one, adjusted.

lucasdemarchi commented 3 weeks ago

Applied, thanks