Bug 485173 - kernel/module-verify-sig.c with memory uncleaned bug
kernel/module-verify-sig.c with memory uncleaned bug
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.3
All Linux
low Severity medium
: rc
: ---
Assigned To: Jiri Olsa
Petr Beňas
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-11 22:33 EST by Shine Liu
Modified: 2015-01-04 17:58 EST (History)
4 users (show)

See Also:
Fixed In Version: kernel-2.6.18-294.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-20 22:26:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch and test case (6.16 KB, application/x-zip-compressed)
2009-02-11 22:34 EST, Shine Liu
no flags Details

  None (edit)
Description Shine Liu 2009-02-11 22:33:16 EST
Description of problem:
Some of the signed kernel modules with debug infomation can't be inserted to kernel with EPERM error.

Version-Release number of selected component (if applicable):
rhel 5.3

How reproducible:

Compile a kernel module with -g option to gcc. Sign the module. Insert the module using insmod command. Then permission denied occured.

Steps to Reproduce:
1. Extract the attachement to a temp folder.
2. make
3. gcc -o mod-exract mod-exract.c
4. mkdir key
5. Copy the secret key kernel.sec and public key kernel.pub to the key folder.
6. ./modsign.sh moduleTest.ko
7. insmod moduleTest.ko.signed
  
Actual results:
permission denied returned from insmod

Expected results:
The module can be inserted to kernel succussfully.

Additional info:
The bug is caused by not cleaning the memory area pointer by mvdata->nsects before reusing it(kernel/module-verify-sig.c L149). Here is the patch:

--- a/kernel/module-verify-sig.c	2009-02-12 10:31:00.000000000 +0800
+++ b/kernel/module-verify-sig.c	2009-02-12 10:21:42.000000000 +0800
@@ -125,6 +125,8 @@
 	mvdata->xcsum = 0;
 #endif
 	
+	memset(mvdata->canonlist, 0, sizeof(int) * mvdata->nsects);
+
 	/* load data from each relevant section into the digest */
 	for (i = 1; i < mvdata->nsects; i++) {
 		unsigned long sh_type = sechdrs[i].sh_type;

I have solved this bug using the patch aboved.
Comment 1 Shine Liu 2009-02-11 22:34:12 EST
Created attachment 331648 [details]
patch and test case
Comment 2 Shine Liu 2009-02-12 00:47:31 EST
More precisely,

kernel/module-verify-sig.c L149:
   if (mvdata->canonlist[sh_info])

the memory area pointer by mvdata->nsects is not cleaned before use.

The first "canon" elements pointer by mvdata->nsects is initialized in function module_verify_canonicalise() (kernel/module-verify-sig.c L228), and modified by 

kernel/module-verify-sig.c L196:
                mvdata->canonlist[i] = 1; 

when sechdrs[i].sh_type contains SHF_ALLOC flag. But the left "mvdata->nsects - canon" elements is not initialized, because 

kernel/module-verify-sig.c L235:
        mvdata->canonlist =
                kmalloc(sizeof(int) * mvdata->nsects * 2, GFP_KERNEL);

dosn't return a cleaned memory. In other word, memset() isn't used after kmalloc.
So, when "sh_info" is greater than "canon", value of mvdata->canonlist[sh_info] is not determained, and then bug occured.
Comment 3 Jon Masters 2009-12-15 02:52:53 EST
I apologize that this bug seems to have gone unanswered because it was miss-assigned to me on error. I am happy to help, even now. Are you still having some issues with module signing in RHEL5?
Comment 4 Shine Liu 2009-12-15 22:53:25 EST
For the source code didn't change for rhel 5.4, this bug still exists.
Comment 8 RHEL Product and Program Management 2010-12-07 04:57:20 EST
This request was evaluated by Red Hat Product Management for inclusion in Red Hat Enterprise Linux 5.6 and Red Hat does not plan to fix this issue the currently developed update.

Contact your manager or support representative in case you need to escalate this bug.
Comment 9 RHEL Product and Program Management 2011-06-20 17:18:02 EDT
This request was evaluated by Red Hat Product Management for inclusion in Red Hat Enterprise Linux 5.7 and Red Hat does not plan to fix this issue the currently developed update.

Contact your manager or support representative in case you need to escalate this bug.
Comment 10 RHEL Product and Program Management 2011-08-12 06:29:39 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 14 Jarod Wilson 2011-10-27 09:09:28 EDT
Patch(es) available in kernel-2.6.18-294.el5
You can download this test kernel (or newer) from http://people.redhat.com/jwilson/el5
Detailed testing feedback is always welcomed.
Comment 20 Petr Beňas 2011-11-02 06:59:48 EDT
Verified in 2.6.18-294.el5.
Comment 21 errata-xmlrpc 2012-02-20 22:26:07 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0150.html

Note You need to log in before you can comment on or make changes to this bug.