From nobody Mon May 25 06:41:32 2026 Received: from mail-ej1-f42.google.com (mail-ej1-f42.google.com [209.85.218.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 03886155C87 for ; Sun, 17 May 2026 11:01:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779015692; cv=none; b=iS7HXtMl09O6D5a3jK4N7Dmcvsj4I9J86VRuD/e5mI+jMEJw/1zhjW75voVeGfZhIrmuR9EJsV2aztVvph986QNRfW1/AtJ8jPTJdHPDhkT1K/2I7LTdYNXxi5eIp8DLH1WcX5qS0jC+sx4NHoz3g3sQQezrf+0QeUhY3hF2F/Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779015692; c=relaxed/simple; bh=5iTJ6uUs213eNLp86NK1cVHRd1P1kMFXqZ3zZMN3vh0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=MQxnSDRqgcEZGcGu5UPzPBSyBBIjwGhkaaqleK8yKWFuHnId1bjDx4be3fOCU3fT1kgdVj+RnU7uKnC2nZsN68eesD/0sWxDD2RMLEcFO2/bbDNyWjD5ZouGlnxqTbsfeTxmFoLLrvxfTAA4jrt7U92VFPYXJaCVX8OXHdDH5M0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=GgNrJ1F6; arc=none smtp.client-ip=209.85.218.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="GgNrJ1F6" Received: by mail-ej1-f42.google.com with SMTP id a640c23a62f3a-bd4f81505ccso218250966b.1 for ; Sun, 17 May 2026 04:01:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779015689; x=1779620489; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=VgEt85dKjR1TEekAbfA62AOLv8dJx0ApoYmsOz+B63g=; b=GgNrJ1F6bpN1hiFSy5xi6WVSDXq8e6OP4CXq0Jbmc/jna36n0NxZnPhF8xckdDosIG Ba6zXCuLpCtSs3NVcxoPAdTOLZ/fwChDe9GuM3XfPbtVMo1lZSKiUjFwlyIpxQDvbwTj JxZL7LV1US+L2pyltnlx0V8kkpZsH/mHz5atGkM6do8EjtF/hlRz3Dip21XjwM6A72rQ rel8qyhOktBc2gwVr3WTaZ1ZdO1hOkq/SxV0qFj+FzIF5RnaCuv5L6qsTFV6g8ubbUx3 IwTSdQ+GzwDHB5XgmfKY7DOvVurRohpUPMFt57SRydxHNZrM5SrP3pddCzoUezXsirpL F6mQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779015689; x=1779620489; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=VgEt85dKjR1TEekAbfA62AOLv8dJx0ApoYmsOz+B63g=; b=TdNut2wxX9wMWqRc0LGhChEJm2EJoyWw3d3aCmluo2sxPs09MIBjS+scdgSOGjQhfe 99z5Q5beJw3FwkG+b4LV4OB6hZ6BllvnaX6Ewk8KO9pLJ0lZQ/CvNDj0NZ2d+1cwLpQg DsVo3hcZqgWxReolU10ckd52okhrU56g0J9nywKgsjyf87EtlaeTdS7N6tqmYjhI6OD8 CoUJ3Ouv/6jix4f/kNfngeMHUVTDpSSZzsGC9E4Tcg4KLoJra71GuWzFYQdb7jes/0xj sNvladC/BxPQ6JVX1OAAWVaOvC8HjqnMhq58ylEi2vphMI36p56qlTsJSZitmaLVATbW 2P4g== X-Forwarded-Encrypted: i=1; AFNElJ+xa3YuDKuqUEPQXpOXt91yEGqCJWI9O2DdhbpBXfA5Yd9ONeY9dB3VFu0msTIAxUaPPCMRlVXXojC071o=@vger.kernel.org X-Gm-Message-State: AOJu0YxBYXoXtLp/Nt8ExURAp8ByikXfgOicP2qExTU3JggeNyk9ohiL otgnD40AUU7Y/O9ujo4Hkrm6Osn3uN6jsrIOnHYak2NtwwzQwxJsCDpx X-Gm-Gg: Acq92OHMHp5hQbcvWY0v9xC8hSTF5b+R/BMUnAFAzhYk5r2Y8io3ukGocLqhDqbv9KS 8qA9SbVtDs9L0eeVouHozmYElQuK6fkTwr2Fv6DuXCp5LI7hDyIJoP097+9sHsxx1wVXIOuEZRb i9RxJ7pPt8YVPqGiKKl27usYZrAkdyyau+1HoEhiYF7tnXczXxWpau9XsyqG5/8LE5H21QJjIYV PWrJTt1VbyWHg/P9Dm+tMEpZfcv3kmfuRfhbycLuzLjO57m+lKeOELp+TDd3p13qwn1TKjUg/Bv TU09552i5mTYcFRErYIpShLSzNafIiVdazrmq/TtnTHGyB1Pdn8vKEh5yWnpRHe2emVL7IkM3II dwRZVkN7XgndnqXDiaePL9cz9HzHclQeURDcW/jdupwHNyjIhSryiTFIPtJ4OJMOjafZHtNpHqP T5HAvVRhDQNtWpDQVyNp7LYeATnkbAag== X-Received: by 2002:a17:906:6a03:b0:bd2:875d:a8d1 with SMTP id a640c23a62f3a-bd517955151mr502673066b.35.1779015689078; Sun, 17 May 2026 04:01:29 -0700 (PDT) Received: from nixbug.lan ([146.120.47.171]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-bd4f4e4d54dsm435800966b.47.2026.05.17.04.01.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 17 May 2026 04:01:28 -0700 (PDT) From: Andrii Kuchmenko To: linux-modules@vger.kernel.org Cc: mcgrof@kernel.org, dmitry.torokhov@gmail.com, linux-kernel@vger.kernel.org, Andrii Kuchmenko , stable@vger.kernel.org Subject: [PATCH] module: decompress: check return value of module_extend_max_pages() Date: Sun, 17 May 2026 14:00:37 +0300 Message-ID: <20260517110037.21506-1-capyenglishlite@gmail.com> X-Mailer: git-send-email 2.51.2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" module_extend_max_pages() calls kvrealloc() internally and returns -ENOMEM on allocation failure. The return value is never checked. The decompression loop then continues calling module_get_next_page(), which writes struct page pointers into info->pages[]. When used_pages reaches the stale max_pages value (not updated due to the failed extend), a subsequent write to info->pages[used_pages++] goes out of bounds into adjacent heap memory. Adjacent slab objects in the same kmalloc cache (pipe_buffer, seq_operations, cred) can be corrupted, potentially leading to local privilege escalation on kernels without SLAB_VIRTUAL mitigation. The call order in finit_module() is: module_decompress() <- vulnerable, runs FIRST load_module() module_sig_check() <- signature check, runs SECOND Decompression happens before signature verification. A crafted compressed module submitted via finit_module(MODULE_INIT_COMPRESSED_FILE) reaches this code path before any signature gate is applied. On kernels with module.sig_enforce=3D0 (default without SecureBoot) or with unprivileged user namespaces (Ubuntu, Debian default), this is reachable without CAP_SYS_MODULE. Confirmed present in mainline (tested on v6.14-rc3). Fix: add the missing error check after module_extend_max_pages() and return immediately on failure. This matches the pattern used by every other kvrealloc() caller in the module loading path. Fixes: 169a58ad824d ("module: add in-kernel support for decompressing") Cc: Dmitry Torokhov Cc: Luis Chamberlain Cc: stable@vger.kernel.org Signed-off-by: Andrii Kuchmenko --- kernel/module/decompress.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel/module/decompress.c b/kernel/module/decompress.c index a1b2c3d4e5f6..b7c8d9e0f1a2 100644 --- a/kernel/module/decompress.c +++ b/kernel/module/decompress.c @@ -XXX,10 +XXX,13 @@ int module_decompress(struct load_info *info, const void *buf, size_t size) { unsigned int n_pages; - int error; + int error =3D 0; ssize_t data_size; =20 n_pages =3D DIV_ROUND_UP(size, PAGE_SIZE) * 2; + error =3D module_extend_max_pages(info, n_pages); + if (error) + return error; + data_size =3D MODULE_DECOMPRESS_FN(info, buf, size); if (data_size < 0) { error =3D data_size; --=20 2.39.0