Description of problem:
Struct tmp is copied from userspace. It is not checked whether the "name"
field is NULL terminated. This may lead to buffer overflow and passing
contents of kernel stack as a module name to try_then_request_module() and,
consequently, to modprobe commandline. It would be seen by all userspace
processes.
References:
http://seclists.org/oss-sec/2011/q1/309https://lkml.org/lkml/2011/2/14/51
Acknowledgements:
Red Hat would like to thank Vasiliy Kulikov of Openwall for reporting this issue.
Comment 3Eugene Teo (Security Response)
2011-04-07 00:37:42 UTC