Normally exported symbol's crc is stored as absolute (SHN_ABS)
value of special named symbol __crc_<symbol name>.
When the kernel and modules are built with the config option
CONFIG_MODULE_REL_CRCS, all the CRCs are put in a special section
and the __crc_<symbol name> symbols values are offsets in the
section. See patch description of the commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56067812d5b0e737ac2063e94a50f76b810d6ca3
Add kmod support of this configuration.
Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
In function kmod_elf_new, the file size has to be properly validated against
section offset. Currently, the file size is considered valid based on
ELF header size + section header size * section count. That is not sufficient.
In fact, ELF specifies a section header offset, which doesn't have to be the
size of the ELF header. The supplied test cases even cover this.
The correct test is: section offset + section header size * section count
This patch also verifies that this value won't overflow. I don't know a way
to crash a tool due to this bug, because later on the offset check would
prevent out-of-bounds access. An overflow would just mean to access a wrong
part in elf->memory. Yet it's a validation error.
Please note: The file size does not have to be validated against the size
of the ELF header again, elf_identify did this already.
it is possible to overflow uint64_t by summing variables offset and
size up in elf_get_section_info. Thee values are extracted from module
file and are possibly maliciously tampered with.
If offset is in valid range and size very large, the result will
overflow and the size check passes. Later on, this will most likely
lead to a segmentation fault due to accessing uninitialized memory.
Attached please find a proof of concept module, which will trigger
a segmentation fault on modinfo. Tested on amd64:
tobias:~$ modinfo poc.ko
filename: /home/tobias/poc.ko
Segmentation fault
There are more errors of this type in the ELF handling code that will be
fixed in other patches.
It has changed in the past, and these days, anyone can get a copy of the
LGPL via the web rather than by post.
Like 657a122 (Remove FSF mailing address) in libabc by Josh Tripplet,
but let the FSF website in which the license can be found.
Commit 51c409b ("Cache the offset of crc") unintentinally changed the
comparison "if (elf->class & KMOD_ELF_32)" to
"if (elf->class == KMOD_ELF_32)".
This has been reported by Serge Voilokov <serge0x76@gmail.com>:
On Raspberry PI elf->class equals KMOD_ELF_32|KMOD_ELF_LSB so
valid condition should be (elf->class & KMOD_ELF_32) instead of
(elf->class == KMOD_ELF_32).
This fixes "modprobe --dump-modversions" failing on 32b systems.
When told to force load a module, we were removing only the value of
vermagic instead of the complete entry.
Philippe De Swert (philippe.deswert@jollamobile.com) sent a patch that
was additionally mangling also the last two chars of the key
("vermagic="). Instead of creating an invalid entry in .modinfo section
like this, this patch removes the complete entry, key + value, by
zeroing the entire string.
Much thanks to Philippe who found the issue and pointed to the fix.
I hate this kind of READV and WRITEV macros that Gustavo seems to love.
clang-analyzer hates them as well.
I'm not motivated enough to refactor this, but I want a clean clang
report, so just shut it up.
Uses kmod_elf_get_dependency_symbols() that looks into ".symtab" for
UNDEF symbols and matches the name from ".strtab" to "__versions" to
get crc.
Likely the public API should unify the symbol information getters and
list release, they are almost the same.
Similar to module-init-tools load_symbols(), it will try .symtab and
.strtab for symbols starting with __crc_, if they are found their crc
is read from ELF's Elf_Sym::st_value.
If not found, then it will fallback to __ksymtab_strings.
Commit "b20dc17 Remove unneeded reference to last string" reverted the
fix in "47a0ef6 elf: do not output empty strings." and empty strings are
appearing again in kmod-modinfo.
With this commit we do a bit different and instead of keeping the
reference to last string we skip the '\0' inside the loop.
Yauheni Kaliuta
Lucas De Marchi
Tobias Stoeckmann
Lucas De Marchi
Lucas De Marchi
Gustavo Sverzut Barbieri
Jan Engelhardt
Luis Felipe Strano Moraes