From gdonl@tsc.tdk.com  Thu Feb  6 00:08:58 1997
Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA09013
          for <FreeBSD-gnats-submit@freebsd.org>; Thu, 6 Feb 1997 00:08:57 -0800 (PST)
Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191])
          by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP
	  id AAA03815 for <FreeBSD-gnats-submit@freebsd.org>; Thu, 6 Feb 1997 00:08:56 -0800 (PST)
Received: from w3.gv.tsc.tdk.com (gdonl@w3.gv.tsc.tdk.com [192.168.240.195])
          by sunrise.gv.tsc.tdk.com (8.8.4/8.8.4) with ESMTP
	  id AAA13620 for <FreeBSD-gnats-submit@freebsd.org>; Thu, 6 Feb 1997 00:08:55 -0800 (PST)
Received: (from gdonl@localhost)
          by w3.gv.tsc.tdk.com (8.8.5/8.8.4)
	  id AAA01158; Thu, 6 Feb 1997 00:08:54 -0800 (PST)
Message-Id: <199702060808.AAA01158@w3.gv.tsc.tdk.com>
Date: Thu, 6 Feb 1997 00:08:54 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Reply-To: gdonl@tsc.tdk.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: lkmcioctl() is not consistent and careful with module names
X-Send-Pr-Version: 3.2

>Number:         2675
>Category:       kern
>Synopsis:       lkmcioctl() is not consistent and careful with module names
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Feb  6 00:10:01 PST 1997
>Closed-Date:    Tue Jun 20 19:21:44 PDT 2000
>Last-Modified:  Tue Jun 20 19:22:52 PDT 2000
>Originator:     Don Lewis
>Release:        FreeBSD 2.1.6-internal-0225 i386
>Organization:
TDK Semiconductor
>Environment:


>Description:

	lkmcioctl() is not careful in its handling of module names.
	It calls strcmp() on these names, which may not have been
	NUL terminated, possibly walking off the ends of arrays.
	This doesn't look like an exploitable hole, but ...

	lmkcioctl() is also not consistent in what it thinks the
	maximum name length is.

>How-To-Repeat:

	Pass an lmc_stat structure to lkmioctl() that contains a
	non-NUL terminated name and no zero bytes in the rest of
	the structure.

>Fix:
	
Message #7310 (102 lines)

The attach patch allows (MAXLKMNAME-1) characters in the name, not
including the terminating NUL.

Something else to be aware of is that if you load a module with a long
enough name, you can't unload it by name.

*** kern_lkm.c-	Tue Oct 22 04:00:58 1996
--- kern_lkm.c	Mon Dec  9 20:46:39 1996
***************
*** 383,389 ****
  			 * Copy name and lookup id from all loaded
  			 * modules.  May fail.
  			 */
! 		 	err =copyinstr(unloadp->name, istr, MAXLKMNAME-1, NULL);
  		 	if (err)
  				break;
  
--- 383,389 ----
  			 * Copy name and lookup id from all loaded
  			 * modules.  May fail.
  			 */
! 		 	err =copyinstr(unloadp->name, istr, MAXLKMNAME, NULL);
  		 	if (err)
  				break;
  
***************
*** 436,441 ****
--- 436,442 ----
  			 * modules.
  			 */
  		 	copystr(statp->name, istr, MAXLKMNAME-1, NULL);
+ 			istr[MAXLKMNAME-1] = '\0';
  			/*
  			 * look up id...
  			 */
***************
*** 480,487 ****
  		statp->ver	= curp->private.lkm_any->lkm_ver;
  		copystr(curp->private.lkm_any->lkm_name,
  			  statp->name,
! 			  MAXLKMNAME - 2,
  			  NULL);
  
  		break;
  
--- 481,489 ----
  		statp->ver	= curp->private.lkm_any->lkm_ver;
  		copystr(curp->private.lkm_any->lkm_name,
  			  statp->name,
! 			  MAXLKMNAME - 1,
  			  NULL);
+ 		statp->name[MAXLKMNAME-1] = '\0';
  
  		break;
  



>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed 
State-Changed-By: mpp 
State-Changed-When: Thu Feb 6 07:59:15 PST 1997 
State-Changed-Why:  
At least following patches should probably be applied. 
Note:  I can't test them, so I'm not taking resposibility for this 
PR. 

Index: kern_lkm.c 
=================================================================== 
RCS file: /home/ncvs/src/sys/kern/kern_lkm.c,v 
retrieving revision 1.33 
diff -u -r1.33 kern_lkm.c 
--- kern_lkm.c	1997/01/14 06:43:23	1.33 
+++ kern_lkm.c	1997/02/06 15:46:44 
@@ -424,7 +424,9 @@ 
* Copy name and lookup id from all loaded 
* modules. 
*/ 
-		 	copystr(statp->name, istr, MAXLKMNAME-1, NULL); 
+		 	err = copyinstr(statp->name, istr, MAXLKMNAME-1, NULL); 
+			if (err) 
+				break; 
/* 
* look up id... 
*/ 
@@ -469,7 +471,7 @@ 
statp->ver	= curp->private.lkm_any->lkm_ver; 
copystr(curp->private.lkm_any->lkm_name, 
statp->name, 
-			  MAXLKMNAME - 2, 
+			  MAXLKMNAME - 1, 
NULL); 

break; 
State-Changed-From-To: analyzed->closed 
State-Changed-By: nrahlstr 
State-Changed-When: Tue Jun 20 19:21:44 PDT 2000 
State-Changed-Why:  
LKM has been deprecated in favor of KLD's.  There does not  
appear to be an equivalent ioctl in the KLD design. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=2675 
>Unformatted:
