[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Don't load kernel modules from the current directory, second diff
Am 04.08.11 13:37, schrieb John Nemeth:
> On Dec 25, 7:20am, Marc Balmer wrote:
> } Subject: Re: Don't load kernel modules from the current directory, second
> } This is a multi-part message in MIME format.
> } --------------030702090605080608070109
> } Content-Type: text/plain; charset=ISO-8859-15
> } Content-Transfer-Encoding: 7bit
> } Thanks to all that replied to my initial diff. This second version is
> } better, it allows to load a module from the filesystem with either an
> } absolute path starting with '/' or a relative path starting with '.'.
> } So you can still load a module from the CWD using
> } modload ./mymodule.kmod
> } module_load_vfs() is changed in two ways: When a module is loaded from
> } the path given to modload, it must start with either '.' or '/'. If a
> } path is constructed to load the module from the system module area, it
> } must not start with '.' or '/'.
> If you really want to beef up the security of loading from the
> system module area, you should make sure there is no / anywhere in
> name. Granted, with name being added to path twice, it will be very
> difficult to come up with something that will escape the system module
> area and load some random module (even without your change to that
> } kobj_load_vfs() will only load an object with a path starting with
> } either '/' or '.'
> }-- End of excerpt from Marc Balmer
Well, indeed I think the second part of the change to module_load_vfs()
can be ommitted. Primary goal if my patch is to prevent inadvertently
loading from CWD when actually loading from the system module area was
Main Index |
Thread Index |