[grsec] 'charp' module parameter, 2.1.14-2.6.31.5-200910312135

hooanon05 at yahoo.co.jp hooanon05 at yahoo.co.jp
Fri Nov 6 19:38:15 EST 2009 

Hello,
Please CC to me since I have not joined the ML.

Recently I've tried
http://grsecurity.net/test/grsecurity-2.1.14-2.6.31.5-200910312135.patch
and I saw several strange behaviour. Sometimes the kernel crashsed.
One issue I saw is a crash at unloading a module.
Reading the patch, I found a bug freeing module parameters.

When I unload the module which has a parameter whose type is charp,
grsecurity tries free it even if it is a static string.
Since it is a memory corruption, any symptoms can be occur I am afraid.
Here is a patch.


J. R. Okajima

----------------------------------------------------------------------
commit a0325daa4b13e6d0e85ca133245b5a16ec8bc53e
Author: J. R. Okajima <hooanon05 at yahoo.co.jp>
Date:   Fri Nov 6 16:52:50 2009 +0900

    grsec: module parameter charp
    
    The grsec patch removes KPARAM_KMALLOCED and calls kfree() for the charp
    parameter unconditionally when exiting a module.
    Since the parameter can be initialized by a static string, we cannot
    kfree() it. Revert the part of grsec.
    
    Signed-off-by: J. R. Okajima <hooanon05 at yahoo.co.jp>

diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h
index 82a9124..6547c3c 100644
--- a/include/linux/moduleparam.h
+++ b/include/linux/moduleparam.h
@@ -37,6 +37,7 @@ typedef int (*param_set_fn)(const char *val, struct kernel_param *kp);
 typedef int (*param_get_fn)(char *buffer, struct kernel_param *kp);
 
 /* Flag bits for kernel_param.flags */
+#define KPARAM_KMALLOCED	1
 #define KPARAM_ISBOOL		2
 
 struct kernel_param {
diff --git a/kernel/params.c b/kernel/params.c
index 8195186..55b50eb 100644
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -217,9 +217,13 @@ int param_set_charp(const char *val, struct kernel_param *kp)
 		return -ENOSPC;
 	}
 
+	if (kp->flags & KPARAM_KMALLOCED)
+		kfree(*(char **)kp->arg);
+
 	/* This is a hack.  We can't need to strdup in early boot, and we
 	 * don't need to; this mangled commandline is preserved. */
 	if (slab_is_available()) {
+		kp->flags |= KPARAM_KMALLOCED;
 		*(char **)kp->arg = kstrdup(val, GFP_KERNEL);
 		if (!kp->arg)
 			return -ENOMEM;
@@ -603,7 +607,7 @@ void destroy_params(const struct kernel_param *params, unsigned num)
 	unsigned int i;
 
 	for (i = 0; i < num; i++)
-		if (params[i].set == param_set_charp)
+		if (params[i].flags & KPARAM_KMALLOCED)
 			kfree(*(char **)params[i].arg);
 }

More information about the grsecurity mailing list