From nobody Mon May 25 05:12:53 2026
Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com
 [209.85.208.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6E7C529ACFD
	for <linux-kernel@vger.kernel.org>; Mon, 18 May 2026 14:33:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.208.52
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779114799; cv=none;
 b=cbFhkBd/w9FZn1FITivOtIdPWRzr1IrymJUNP8Xj5s9nfEYFxckQxKdmcJzAfHrt5Mfa+sb6uWMbPir3rSTQmm90PeDDbDKhFVgGkw+h+LrcUjZFopFgJO8IaCueCacKAy7hZNdbh2tHEQLUBipygAiOE3V1DKJTg51z0ZgnA0Y=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779114799; c=relaxed/simple;
	bh=CHhU3OrOdk340qyqkitwJIqaC84MqZ7shflUGPh4pxI=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=IlcgsRjuBZsWC9HIZ1akDHnn2P0XKRBcGUvHRLEfHw+BDnwHl/Cvcel7ONuKPjFLBMqc0H9AUwYRAwoBf/iCK/AHhpM8PXOtoP62QkNy+c1N9WjY0iKymAAiOfksqDo4gRoYNKaj9Da7cGSxwoyEqC7r/61Ac39jvHzblljHtx4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=NOLKuC7J; arc=none smtp.client-ip=209.85.208.52
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="NOLKuC7J"
Received: by mail-ed1-f52.google.com with SMTP id
 4fb4d7f45d1cf-67c4aaf76ecso4155811a12.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 18 May 2026 07:33:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779114797; x=1779719597;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=wbt3n/YhJ+P2VJtD3JU+1cQAnR79ZzwjF6VuK9LVFGM=;
        b=NOLKuC7J2pAbK9B2JLJd/uK3HY516XbyKgSiK1uzDIBlFPcTN6YyAcqL2F/+vRZMNQ
         dF9WwuzIq2NmFGATITetxqJFam8PgHFENk+Afh/DzMkPJSmyx/h0t8Pn/5hJdmd17+Mf
         8WxwaKlQcG9Su178SbgAJ+iQQSYbXuENlzaaQmGovCS0lkxLoaU4wlJ7mX97ayyki/Uq
         va5FTMtbwjgHh3TnBOudU/A0krUj++ACU63CbXfksJ7BbeCmnLmbPSH940SXAVVdvbP8
         pZxh9pF3qI8JZH5+AAW4eLl0+bBuVhghORSUdN3XNgSl2FKu3JP9PjSudTLK1qSBB4x1
         CdpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779114797; x=1779719597;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=wbt3n/YhJ+P2VJtD3JU+1cQAnR79ZzwjF6VuK9LVFGM=;
        b=XJDz7wm9xO1yqjjd+3YE8eQ9QBqLC7oorKBdAElHYnYwRVa7mFEsfsom2HBM4UO9lX
         rjMtpNkP7VtrVlUAwqyUjwyk1yh7PjvjNe1Oxe1HIu6eEc0CSVQC8Q6hJUWDrF8OEL4I
         MYNBLtWipuOLgqSlfpIE0YFwoxb7KHm1TjqVHuIjEq2eYkrqatDsmXZxAXugbUN8dm9t
         JY7TEirvhxa8Iavq9nRvaHTiMi5rFlOHQea0LxDSmvD5qi7RxAh/r8Vqv/JagV+zjiuI
         kacMfInzrK/rXlSXd4LfjrlakfKqbnSm2eZ9/KSQo06lStNA5Ei1mFVz1TdBpSG9eX1/
         U5/w==
X-Forwarded-Encrypted: i=1;
 AFNElJ8fDsdSeVo9bbbKrRHkJleywzMN+EkMf5aCnwOX3fpdgQvA+O5yacteZmlst1UjPhmA7VVV9cAkrp4Uh/o=@vger.kernel.org
X-Gm-Message-State: AOJu0YxAz30ObE7LNC9tK+5xgzDdAU6SfnXqbGR2b0fhQDKvXEm6G2Pb
	Leg6J8ttr3p39Bxmxp9Z0AKUYC2RSPW/6JZsKcEH5OX3ikDO6CLBveNQ
X-Gm-Gg: Acq92OFTVBnbUsZ04QN6e9jJdw/Bf21HwXMh6ekontqceoBYUdVIwHqH+TDBiNtujjL
	NRZ5ZqPwm6P+TclNDjgcooB+0ZmqRF0FEPEhVZ/9iOkHNHxMbcLCWP8z3AXuiPfgZFbpPNd0N5j
	8rk/2zeK2182+3KO0QZyHa12hP16iteOel4TYHFdpe9WiaAa+xx0l4xTqICUtUisvbbg9EzaPgX
	V8p9s5nxJ0dM2VfnwRuHeHFLlcQStDu/xrNpuv73WEAC6G7WoKNeacpRIm5dyASxDkVrKuvvjbQ
	KWXpJi5UlO70+Sl5YGBg/FjEorNnyLttPKQgJil6BI/x/+1p7yTK7/dtB9IxJqdWNrc/f0GzuvO
	s4fYemkcAGSQ7BC9P3smp1gMDUuiKampVsrHMK9KEsKQS8Yg80dCvSBVyQ+4RJHjK3TYYTrHvGB
	0PEEd0S2kTg+cbmsVc1+IEXhdgPSsTi8dKUujSYhnFwF0DqJJBJuI=
X-Received: by 2002:a17:907:15d6:b0:bcd:53e5:c8f1 with SMTP id
 a640c23a62f3a-bd5177e2d11mr620050866b.13.1779114796477;
        Mon, 18 May 2026 07:33:16 -0700 (PDT)
Received: from nixbug.lan ([146.120.47.171])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-bd4f4dee08fsm563732966b.29.2026.05.18.07.33.15
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 18 May 2026 07:33:16 -0700 (PDT)
From: Andrii Kuchmenko <capyenglishlite@gmail.com>
To: linux-modules@vger.kernel.org
Cc: chleroy@kernel.org,
	mcgrof@kernel.org,
	dmitry.torokhov@gmail.com,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Andrii Kuchmenko <capyenglishlite@gmail.com>
Subject: [PATCH v2] module: decompress: check return value of
 module_extend_max_pages()
Date: Mon, 18 May 2026 17:32:33 +0300
Message-ID: <20260518143233.16091-1-capyenglishlite@gmail.com>
X-Mailer: git-send-email 2.51.2
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

module_extend_max_pages() calls kvrealloc() internally and returns
-ENOMEM on allocation failure. The return value is never checked.
The decompression loop then continues calling module_get_next_page(),
which writes struct page pointers into info->pages[]. When used_pages
reaches the stale max_pages value (not updated due to the failed
extend), a subsequent write to info->pages[used_pages++] goes out of
bounds into adjacent heap memory.

Adjacent slab objects in the same kmalloc cache (pipe_buffer,
seq_operations, cred) can be corrupted, potentially leading to local
privilege escalation on kernels without SLAB_VIRTUAL mitigation.

The call order in finit_module() is:

  module_decompress()    <- vulnerable, runs FIRST
  load_module()
    module_sig_check()   <- signature check, runs SECOND

Decompression happens before signature verification. A crafted
compressed module submitted via finit_module(MODULE_INIT_COMPRESSED_FILE)
reaches this code path before any signature gate is applied. On kernels
with module.sig_enforce=3D0 (default without SecureBoot) or with
unprivileged user namespaces (Ubuntu, Debian default), this is
reachable without CAP_SYS_MODULE.

Confirmed present in mainline (tested on v6.14-rc3).

Fix: add the missing error check after module_extend_max_pages() and
return immediately on failure. This matches the pattern used by every
other kvrealloc() caller in the module loading path.

Fixes: 169a58ad824d ("module: add in-kernel support for decompressing")
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Andrii Kuchmenko <capyenglishlite@gmail.com>
Reviewed-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
---
Changes in v2:
 - Remove unnecessary initialization of 'error' to 0 (Christophe Leroy)
 - Remove unrelated blank line after if (error) return error (Christophe Le=
roy)

 kernel/module/decompress.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/module/decompress.c b/kernel/module/decompress.c
--- a/kernel/module/decompress.c
+++ b/kernel/module/decompress.c
@@ -XXX,9 +XXX,12 @@ int module_decompress(struct load_info *info,
 				const void *buf, size_t size)
 {
 	unsigned int n_pages;
 	int error;
 	ssize_t data_size;
=20
 	n_pages =3D DIV_ROUND_UP(size, PAGE_SIZE) * 2;
 	error =3D module_extend_max_pages(info, n_pages);
+	if (error)
+		return error;
 	data_size =3D MODULE_DECOMPRESS_FN(info, buf, size);
 	if (data_size < 0) {
 		error =3D data_size;
--=20
2.39.0