Linus,
I have a patch that fixes some minor module-related bugs. The patch
is against a 2.0.17 stock kernel patched to 2.0.18. The bugs fixed
allowed any user process to cause a kernel oops, either by passing NULL
strings or bum pointers to various module-related functions. Mainly,
the patch inserts the appropriate verify_area calls necessary to prevent
kernel oopses.
Also, I have a patch which enables shared, writable, anonymous mmap()'s,
which I've also included as the second patch. Essentially the same effect
can be achieved using IPC shared memory regions; however, this works
without full SysV IPC support. I've tried it and not been able to make
it fail; are there other architectures for which this will fail?
Forgive me if I'm erring greatly in this email... this is my first,
meaningful kernel patch submission.
Thanks,
- --Joe Zbiciak
diff -r -u linux-2.0.18-stock/drivers/sound/soundvers.h linux-2.0.18-jz/drivers/sound/soundvers.h
- --- linux-2.0.18-stock/drivers/sound/soundvers.h Sun Jun 30 22:30:35 1996
+++ linux-2.0.18-jz/drivers/sound/soundvers.h Sat Aug 3 16:07:53 1996
@@ -1,2 +1,4 @@
#define SOUND_VERSION_STRING "3.5.4-960630"
#define SOUND_INTERNAL_VERSION 0x030504
+#define SOUND_CONFIG_HOST "mixed-nuts"
+#define SOUND_CONFIG_DOMAIN "asylum.net"
Only in linux-2.0.18-jz/include/linux: vm86.h
diff -r -u linux-2.0.18-stock/kernel/module.c linux-2.0.18-jz/kernel/module.c
- --- linux-2.0.18-stock/kernel/module.c Tue May 21 04:00:30 1996
+++ linux-2.0.18-jz/kernel/module.c Mon Jul 8 03:05:42 1996
@@ -42,6 +42,11 @@
*
* - Use dummy syscall functions for users who disable all
* module support. Similar to kernel/sys.c (Paul Gortmaker)
+ *
+ * - Added call to verify_area(), and fixed "null module name"
+ * (zero-length string passed as module name) in get_mod_name()
+ * Joe Zbiciak <jzbiciak@micro.ti.com>
+ *
*/
#ifdef CONFIG_MODULES /* a *big* #ifdef block... */
@@ -385,13 +390,19 @@
int
get_mod_name(char *user_name, char *buf)
{
+ int error;
int i;
- - i = 0;
+ if ((error=verify_area(VERIFY_READ,user_name,1)) != 0)
+ return error;
for (i = 0 ; (buf[i] = get_user(user_name + i)) != '\0' ; ) {
+ if ((error=verify_area(VERIFY_READ,user_name+i,1)) != 0)
+ return error;
if (++i >= MOD_MAX_NAME)
return -E2BIG;
}
+ if (!i)
+ return -EINVAL;
return 0;
}
diff -r -u linux-2.0.18-stock/mm/mmap.c linux-2.0.18-jz/mm/mmap.c
- --- linux-2.0.18-stock/mm/mmap.c Thu Sep 5 18:54:52 1996
+++ linux-2.0.18-jz/mm/mmap.c Thu Sep 5 23:39:30 1996
@@ -189,7 +189,10 @@
return -ETXTBSY;
}
} else if ((flags & MAP_TYPE) != MAP_PRIVATE)
- - return -EINVAL;
+ {
+ /*return -EINVAL; */ /* joe's hack... :-) */
+ flags |= MAP_SHARED;
+ }
/*
* obtain the address to map to. we verify (or select) it and ensure
@@ -241,8 +244,11 @@
if (!(file->f_mode & 2))
vma->vm_flags &= ~(VM_MAYWRITE | VM_SHARED);
}
- - } else
+ } else { /* joe's hack continued */
vma->vm_flags |= VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
+ if (flags & MAP_SHARED)
+ vma->vm_flags |= VM_SHARED | VM_MAYSHARE;
+ }
vma->vm_page_prot = protection_map[vma->vm_flags & 0x0f];
vma->vm_ops = NULL;
vma->vm_offset = off;
@@ -270,7 +276,8 @@
flags = vma->vm_flags;
insert_vm_struct(current, vma);
- - merge_segments(current, vma->vm_start, vma->vm_end);
+ if (file || !(flags & MAP_SHARED))
+ merge_segments(current, vma->vm_start, vma->vm_end);
/* merge_segments might have merged our vma, so we can't use it any more */
current->mm->total_vm += len >> PAGE_SHIFT;
- --
:======= Joe Zbiciak =======: "Miracles are so called because they excite
:- - im14u2c@bradley.edu - -: wonder. In unphilosophical minds any rare
: - - - - - http: - - - - - : or unexpected thing excites wonder, while
://ee1.bradley.edu/~im14u2c/: in the philosophical mind the familiar
:======= DISCLAIMER: =======: excites wonder also."
:=This is the fiction that =: -- George Santayana
:= makes fact refreshing...=:
(534:832 4:15)
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQC5AwUBMi+zU0v9xfqi3QE1AQHjNwUgqmsKLDFc8LplMr9s9Cp0SspVlDC1FZHH
OCLFQ7/yDRVXkrk7bWmB+1JWiebdiI5Lo8euRu3zHbQnR0ghdua3d+oJtDkbFO3H
Lsra/kW+n+fb3ArSnFwpKBe1d3oXZO4Ot8jwMWW+R5M5cXeOsIW0G+J54qoW15Gz
c+mECpRtKMMbsNElUmDHJoKbUsEUhib4CJmmm5mTq5cOiL4sm1cCDu+wEpg=
=5vPr
-----END PGP SIGNATURE-----