[PATCH] Fix use-after-free when trying to load an invalid module

[PATCH] Fix use-after-free when trying to load an invalid module

[Luca Barbieri]

mod->module_core contains the mod structure, so it must be freed after
mod->percpu.
However, initialization happens in the opposite order because mod is
moved after that, so we need to initialize module_core to 0 and check it
later.

--- linux-2.5.70/kernel/module.c~	2003-06-02 10:50:57.000000000 +0200
+++ linux-2.5.70/kernel/module.c	2003-06-11 18:08:47.000000000 +0200
@@ -1417,6 +1417,7 @@ static struct module *load_module(void _
 	if (err < 0)
 		goto free_mod;
 
+	mod->module_core = NULL;
 	if (pcpuindex) {
 		/* We have a special allocation for this section. */
 		mod->percpu = percpu_modalloc(sechdrs[pcpuindex].sh_size,
@@ -1565,10 +1566,12 @@ static struct module *load_module(void _
 	module_unload_free(mod);
 	module_free(mod, mod->module_init);
  free_core:
-	module_free(mod, mod->module_core);
  free_percpu:
 	if (mod->percpu)
 		percpu_modfree(mod->percpu);
+
+	if(mod->module_core)
+		module_free(mod, mod->module_core);
  free_mod:
 	kfree(args);
  free_hdr:


-- 
Luca Barbieri <lb@lb.ods.org>

Re: [PATCH] Fix use-after-free when trying to load an invalid module

[Rusty Russell]

In message <1055592512.3810.12.camel@home.lb.ods.org> you write:
> mod->module_core contains the mod structure, so it must be freed after
> mod->percpu.
> However, initialization happens in the opposite order because mod is
> moved after that, so we need to initialize module_core to 0 and check it
> later.

Thanks for the fix!  This was fixed another way, though, in Linus'
tree.

Thanks,
Rusty.
--
  Anyone who quotes me in their sig is an idiot. -- Rusty Russell.