From patchwork Tue Mar 11 20:25:53 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 23011 Received: from mail.tu-berlin.de ([130.149.7.33]) by www.linuxtv.org with esmtp (Exim 4.72) (envelope-from ) id 1WNTGD-0003f6-E1; Tue, 11 Mar 2014 21:26:49 +0100 X-tubIT-Incoming-IP: 209.132.180.67 Received: from vger.kernel.org ([209.132.180.67]) by mail.tu-berlin.de (exim-4.72/mailfrontend-7) with esmtp id 1WNTGB-0005Mh-1J; Tue, 11 Mar 2014 21:26:49 +0100 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755570AbaCKU0Q (ORCPT + 1 other); Tue, 11 Mar 2014 16:26:16 -0400 Received: from smtp.outflux.net ([198.145.64.163]:35167 "EHLO smtp.outflux.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755459AbaCKU0O (ORCPT ); Tue, 11 Mar 2014 16:26:14 -0400 Received: from www.outflux.net (serenity.outflux.net [10.2.0.2]) by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2.1) with ESMTP id s2BKPrEZ000432; Tue, 11 Mar 2014 13:25:53 -0700 Date: Tue, 11 Mar 2014 13:25:53 -0700 From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Mauro Carvalho Chehab , David =?iso-8859-1?Q?H=E4rdeman?= , Sean Young , Juergen Lock , Srinivas Kandagatla , linux-media@vger.kernel.org Subject: [PATCH] media: rc-core: use %s in rc_map_get() module load Message-ID: <20140311202553.GA24552@www.outflux.net> MIME-Version: 1.0 Content-Disposition: inline X-MIMEDefang-Filter: outflux$Revision: 1.316 $ X-HELO: www.outflux.net X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1 Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2014.3.11.201814 X-PMX-Spam: Gauge=IIIIIIIII, Probability=9%, Report=' MULTIPLE_RCPTS 0.1, HTML_00_01 0.05, HTML_00_10 0.05, MSGID_ADDED_BY_MTA 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1200_1299 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, DATE_TZ_NA 0, URI_ENDS_IN_HTML 0, __ANY_URI 0, __CD 0, __CP_URI_IN_BODY 0, __CT 0, __CT_TEXT_PLAIN 0, __HAS_FROM 0, __HAS_MSGID 0, __HAS_X_MAILING_LIST 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __MULTIPLE_RCPTS_CC_X2 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_NO_WWW 0, __URI_NS ' rc_map_get() takes a single string literal for the module to load, so make sure it cannot be used as a format string in the call to request_module(). Signed-off-by: Kees Cook --- On another security note, this raw request_module() call should have some kind of prefix associated with it to make sure it can't be used to load arbitrary modules. For example, request_module("probe-%s", name) or something, as done for crypto, binfmts, etc. --- drivers/media/rc/rc-main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c index 02e2f38c9c85..dca97aa0a51e 100644 --- a/drivers/media/rc/rc-main.c +++ b/drivers/media/rc/rc-main.c @@ -62,7 +62,7 @@ struct rc_map *rc_map_get(const char *name) map = seek_rc_map(name); #ifdef MODULE if (!map) { - int rc = request_module(name); + int rc = request_module("%s", name); if (rc < 0) { printk(KERN_ERR "Couldn't load IR keymap %s\n", name); return NULL;