[grsec] 'charp' module parameter, 2.1.14-2.6.31.5-200910312135

pageexec at freemail.hu pageexec at freemail.hu
Sat Nov 7 15:00:13 EST 2009


On 7 Nov 2009 at 9:38, hooanon05 at yahoo.co.jp wrote:

> Recently I've tried
> http://grsecurity.net/test/grsecurity-2.1.14-2.6.31.5-200910312135.patch
> and I saw several strange behaviour. Sometimes the kernel crashsed.

can you provide more detailed reports on these crashes please
(config, vmlinux, etc)?

> One issue I saw is a crash at unloading a module.
> Reading the patch, I found a bug freeing module parameters.
> 
> When I unload the module which has a parameter whose type is charp,
> grsecurity tries free it even if it is a static string.
> Since it is a memory corruption, any symptoms can be occur I am afraid.
> Here is a patch.

thanks for your report but i'll need more info about which exact modules
you observed the problem with. the fundamental problem is that under PaX
(and even vanilla linux, see 65afac7d80ab3bc9f81e75eafb71eeb92a3ebdef)
these kernel_param structs are read-only so setting the flags field in
them will cause an oops. in vanilla linux the solution is the same except
they opted for leaking memory, i'd like to avoid that but for that i'll
need to know which modules can reach this code with non-kmalloc'ed strings.



More information about the grsecurity mailing list