[PATCH AUTOSEL 6.16-6.1] module: Prevent silent truncation of module name in delete_module(2)
From: Sasha Levin
Date: Fri Aug 08 2025 - 11:31:24 EST
From: Petr Pavlu <petr.pavlu@xxxxxxxx>
[ Upstream commit a6323bd4e611567913e23df5b58f2d4e4da06789 ]
Passing a module name longer than MODULE_NAME_LEN to the delete_module
syscall results in its silent truncation. This really isn't much of
a problem in practice, but it could theoretically lead to the removal of an
incorrect module. It is more sensible to return ENAMETOOLONG or ENOENT in
such a case.
Update the syscall to return ENOENT, as documented in the delete_module(2)
man page to mean "No module by that name exists." This is appropriate
because a module with a name longer than MODULE_NAME_LEN cannot be loaded
in the first place.
Signed-off-by: Petr Pavlu <petr.pavlu@xxxxxxxx>
Reviewed-by: Daniel Gomez <da.gomez@xxxxxxxxxxx>
Link: https://lore.kernel.org/r/20250630143535.267745-2-petr.pavlu@xxxxxxxx
Signed-off-by: Daniel Gomez <da.gomez@xxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
LLM Generated explanations, may be completely bogus:
Based on my analysis, here's my assessment:
**Backport Status: YES**
This commit should be backported to stable kernel trees for the
following reasons:
1. **Security Fix for Silent Truncation**: The commit fixes a security-
relevant issue where module names longer than MODULE_NAME_LEN (56
bytes on 64-bit systems) are silently truncated in the
delete_module() syscall. This could theoretically lead to
unintentionally removing the wrong module if two modules share the
same truncated prefix.
2. **Minimal and Contained Change**: The fix is very small and localized
- it only modifies the delete_module syscall implementation in
kernel/module/main.c. The changes are:
- Changes from `strncpy_from_user(name, name_user,
MODULE_NAME_LEN-1)` to `strncpy_from_user(name, name_user,
MODULE_NAME_LEN)`
- Adds proper length checking: `if (len == 0 || len ==
MODULE_NAME_LEN) return -ENOENT;`
- Returns the correct error code (ENOENT) for oversized names
3. **Follows Stable Tree Rules**:
- Fixes a bug that could affect users (incorrect module removal)
- Very low risk of regression - the change only affects error
handling for invalid input
- No new features or architectural changes
- Improves consistency with documented behavior (delete_module(2) man
page)
4. **Prevents Inconsistent Behavior**: The commit message correctly
points out that modules with names longer than MODULE_NAME_LEN cannot
be loaded in the first place, so returning ENOENT for such names in
delete_module makes the behavior consistent across module operations.
5. **Clear Bug Fix**: The old code would accept a 57+ character module
name, truncate it to 56 characters, and potentially remove a
different module. The new code properly rejects such names with
ENOENT, preventing this dangerous silent truncation.
The change is defensive programming that prevents a potential security
issue without introducing any backward compatibility concerns, making it
an ideal candidate for stable backporting.
kernel/module/main.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/kernel/module/main.c b/kernel/module/main.c
index c2c08007029d..cbd637627eb4 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -751,14 +751,16 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user,
struct module *mod;
char name[MODULE_NAME_LEN];
char buf[MODULE_FLAGS_BUF_SIZE];
- int ret, forced = 0;
+ int ret, len, forced = 0;
if (!capable(CAP_SYS_MODULE) || modules_disabled)
return -EPERM;
- if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
- return -EFAULT;
- name[MODULE_NAME_LEN-1] = '\0';
+ len = strncpy_from_user(name, name_user, MODULE_NAME_LEN);
+ if (len == 0 || len == MODULE_NAME_LEN)
+ return -ENOENT;
+ if (len < 0)
+ return len;
audit_log_kern_module(name);
--
2.39.5