[6.10.0-rc2] kernel/module: avoid panic on loading broken module

Commit Message

Daniel v. Kirschten June 6, 2024, 1:31 p.m. UTC

If a module is being loaded, and the .gnu.linkonce.this_module section
in the module's ELF file does not have the WRITE flag, the kernel will
map the finished module struct of that module as read-only.
This causes a kernel panic when the struct is written to the first time
after it has been marked read-only. Currently this happens in
complete_formation in kernel/module/main.c:2765 when the module's state is
set to MODULE_STATE_COMING, just after setting up the memory protections.

Down the line, this seems to lead to unpredictable freezes when trying to
load other modules - I guess this is due to some structures not being
cleaned up properly, but I didn't investigate this further.

A check already exists which verifies that .gnu.linkonce.this_module
is ALLOC. This patch simply adds an analogous check for WRITE.

Signed-off-by: Daniel Kirschten <danielkirschten@gmail.com>
---
  kernel/module/main.c | 6 ++++++
  1 file changed, 6 insertions(+)

Patch

diff --git a/kernel/module/main.c b/kernel/module/main.c
index d18a94b973e1..abba097551a2 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -1886,6 +1886,12 @@  static int elf_validity_cache_copy(struct load_info *info, int flags)
                 goto no_exec;
         }
  
+       if (!(shdr->sh_flags & SHF_WRITE)) {
+               pr_err("module %s: .gnu.linkonce.this_module must be writable\n",
+                      info->name ?: "(missing .modinfo section or name field)");
+               goto no_exec;
+       }
+
         if (shdr->sh_size != sizeof(struct module)) {
                 pr_err("module %s: .gnu.linkonce.this_module section size must match the kernel's built struct module size at run time\n",
                        info->name ?: "(missing .modinfo section or name field)");