From: Petr Pavlu petr.pavlu@suse.com
[ Upstream commit a6323bd4e611567913e23df5b58f2d4e4da06789 ]
Passing a module name longer than MODULE_NAME_LEN to the delete_module syscall results in its silent truncation. This really isn't much of a problem in practice, but it could theoretically lead to the removal of an incorrect module. It is more sensible to return ENAMETOOLONG or ENOENT in such a case.
Update the syscall to return ENOENT, as documented in the delete_module(2) man page to mean "No module by that name exists." This is appropriate because a module with a name longer than MODULE_NAME_LEN cannot be loaded in the first place.
Signed-off-by: Petr Pavlu petr.pavlu@suse.com Reviewed-by: Daniel Gomez da.gomez@samsung.com Link: https://lore.kernel.org/r/20250630143535.267745-2-petr.pavlu@suse.com Signed-off-by: Daniel Gomez da.gomez@samsung.com Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
Based on my analysis, here's my assessment:
**Backport Status: YES**
This commit should be backported to stable kernel trees for the following reasons:
1. **Security Fix for Silent Truncation**: The commit fixes a security- relevant issue where module names longer than MODULE_NAME_LEN (56 bytes on 64-bit systems) are silently truncated in the delete_module() syscall. This could theoretically lead to unintentionally removing the wrong module if two modules share the same truncated prefix.
2. **Minimal and Contained Change**: The fix is very small and localized - it only modifies the delete_module syscall implementation in kernel/module/main.c. The changes are: - Changes from `strncpy_from_user(name, name_user, MODULE_NAME_LEN-1)` to `strncpy_from_user(name, name_user, MODULE_NAME_LEN)` - Adds proper length checking: `if (len == 0 || len == MODULE_NAME_LEN) return -ENOENT;` - Returns the correct error code (ENOENT) for oversized names
3. **Follows Stable Tree Rules**: - Fixes a bug that could affect users (incorrect module removal) - Very low risk of regression - the change only affects error handling for invalid input - No new features or architectural changes - Improves consistency with documented behavior (delete_module(2) man page)
4. **Prevents Inconsistent Behavior**: The commit message correctly points out that modules with names longer than MODULE_NAME_LEN cannot be loaded in the first place, so returning ENOENT for such names in delete_module makes the behavior consistent across module operations.
5. **Clear Bug Fix**: The old code would accept a 57+ character module name, truncate it to 56 characters, and potentially remove a different module. The new code properly rejects such names with ENOENT, preventing this dangerous silent truncation.
The change is defensive programming that prevents a potential security issue without introducing any backward compatibility concerns, making it an ideal candidate for stable backporting.
kernel/module/main.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/kernel/module/main.c b/kernel/module/main.c index c2c08007029d..cbd637627eb4 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -751,14 +751,16 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user, struct module *mod; char name[MODULE_NAME_LEN]; char buf[MODULE_FLAGS_BUF_SIZE]; - int ret, forced = 0; + int ret, len, forced = 0;
if (!capable(CAP_SYS_MODULE) || modules_disabled) return -EPERM;
- if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0) - return -EFAULT; - name[MODULE_NAME_LEN-1] = '\0'; + len = strncpy_from_user(name, name_user, MODULE_NAME_LEN); + if (len == 0 || len == MODULE_NAME_LEN) + return -ENOENT; + if (len < 0) + return len;
audit_log_kern_module(name);