Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The content of the article which does not work for most of HN.

    Enter your search termsSubmit search formWeblkml.org
    Date	Thu, 6 Oct 2011 15:05:27 -0400
    From	Dave Jones <>
    Subject	RFC: virtualbox tainting.
    The number of bug reports we get from people with virtualbox loaded are
    truly astonishing.  It's GPL, but sadly that doesn't mean it's good.
    Nearly all of these bugs look like random corruption. (corrupt linked lists,
    corrupt page tables, and just plain 'weird' crashes).

    This diff adds tainting to the module loader to treat it as we do with stuff
    from staging/ (crap). With this tainting in place, automatic bug filing tools
    can opt out of automatically filing kernel bugs, and inform the user to file
    bugs somewhere more appropriate.

    Signed-off-by: Dave Jones <davej@redhat.com>

    diff --git a/kernel/module.c b/kernel/module.c
    index 04379f92..d26c9a3 100644
    --- a/kernel/module.c
    +++ b/kernel/module.c
    @@ -2653,6 +2653,10 @@ static int check_module_license_and_versions(struct module *mod)
        if (strcmp(mod->name, "ndiswrapper") == 0)
            add_taint(TAINT_PROPRIETARY_MODULE);
     
    +	/* vbox is garbage. */
    +	if (strcmp(mod->name, "vboxdrv") == 0)
    +		add_taint(TAINT_CRAP);
    +
        /* driverloader was caught wrongly pretending to be under GPL */
        if (strcmp(mod->name, "driverloader") == 0)
            add_taint_module(mod, TAINT_PROPRIETARY_MODULE);


Honest question: is a strcmp really the best way there is to test for specific kernel modules?


What's wrong with it?


strcmp (and many other string routines like strlen, strcpy) relies on strings being null terminated. Safe versions (strncmp, strnlen, strncpy) have a parameter for maximum string length.

I am pretty sure that in this particular case it is not passed any user input, so it's kinda safe.


In this case it should be fine because the second argument is a string literal (guaranteed to be null-terminated) and the function doesn't continue past the end of the first null-terminated string.


Would be a pretty neat exploit to buffer overflow someone's actual kernel via a carefully constructed module name, though.


A neat hack, yes...but probably not worthwhile from the perspective of an actual attacker (if you've got permissions to load a kernel module, you could just load one of your own crafting to do whatever nefarious things you wanted directly).


If you haven't validated or ensured that your string is a string you've already lost.


Good as any for their use. Follow that the thread on lkml (there is a gmane link in the comments here somewhere) for more discussion on identifying taint-introducing modules.


Seems reasonable to use strcmp to compare two strings.


funny is how they bitch about virtualbox and then their own dam site is down at the same time. A bit of the pot calling the kettle black?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: