From ae83f3b72621bd3187eb7956c7c2993a97d4b187 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Thu, 9 Oct 2025 20:06:09 -0700 Subject: module: Add compile-time check for embedded NUL characters Long ago, the kernel module license checks were bypassed by embedding a NUL character in the MODULE_LICENSE() string[1]. By using a string like "GPL\0proprietary text", the kernel would only read "GPL" due to C string termination at the NUL byte, allowing proprietary modules to avoid kernel tainting and access GPL-only symbols. The MODULE_INFO() macro stores these strings in the .modinfo ELF section, and get_next_modinfo() uses strcmp()-family functions which stop at the first NUL. This split the embedded string into two separate .modinfo entries, with only the first part being processed by license_is_gpl_compatible(). Add a compile-time check using static_assert that compares the full string length (sizeof - 1) against __builtin_strlen(), which stops at the first NUL. If they differ, compilation fails with a clear error message. While this check can still be circumvented by modifying the ELF binary post-compilation, it prevents accidental embedded NULs and forces intentional abuse to require deliberate binary manipulation rather than simple source-level tricks. Build tested with test modules containing both valid and invalid license strings. The check correctly rejects: MODULE_LICENSE("GPL\0proprietary") while accepting normal declarations: MODULE_LICENSE("GPL") Link: https://lwn.net/Articles/82305/ [1] Suggested-by: Rusty Russell Signed-off-by: Kees Cook Reviewed-by: Daniel Gomez Reviewed-by: Aaron Tomlin Reviewed-by: Petr Pavlu Tested-by: Daniel Gomez Signed-off-by: Daniel Gomez --- include/linux/moduleparam.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'include/linux/moduleparam.h') diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h index 6907aedc4f74..915f32f7d888 100644 --- a/include/linux/moduleparam.h +++ b/include/linux/moduleparam.h @@ -26,6 +26,9 @@ /* Generic info of form tag = "info" */ #define MODULE_INFO(tag, info) \ + static_assert( \ + sizeof(info) - 1 == __builtin_strlen(info), \ + "MODULE_INFO(" #tag ", ...) contains embedded NUL byte"); \ static const char __UNIQUE_ID(modinfo)[] \ __used __section(".modinfo") __aligned(1) \ = __MODULE_INFO_PREFIX __stringify(tag) "=" info -- cgit v1.2.3 From b68758e6f4307179247126b7641fa7ba7109c820 Mon Sep 17 00:00:00 2001 From: Randy Dunlap Date: Sun, 14 Dec 2025 12:23:57 -0800 Subject: modules: moduleparam.h: fix kernel-doc comments Fix kernel-doc comments to prevent kernel-doc warnings: Warning: include/linux/moduleparam.h:364 function parameter 'arg' not described in '__core_param_cb' Warning: include/linux/moduleparam.h:395 No description found for return value of 'parameq' Warning: include/linux/moduleparam.h:405 No description found for return value of 'parameqn' Signed-off-by: Randy Dunlap Reviewed-by: Petr Pavlu [Sami: Clarified the commit message] Signed-off-by: Sami Tolvanen --- include/linux/moduleparam.h | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'include/linux/moduleparam.h') diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h index 915f32f7d888..c03db3c2fd40 100644 --- a/include/linux/moduleparam.h +++ b/include/linux/moduleparam.h @@ -355,8 +355,8 @@ static inline void kernel_param_unlock(struct module *mod) /** * __core_param_cb - similar like core_param, with a set/get ops instead of type. * @name: the name of the cmdline and sysfs parameter (often the same as var) - * @var: the variable * @ops: the set & get operations for this parameter. + * @arg: the variable * @perm: visibility in sysfs * * Ideally this should be called 'core_param_cb', but the name has been @@ -390,7 +390,7 @@ static inline void kernel_param_unlock(struct module *mod) * @name1: parameter name 1 * @name2: parameter name 2 * - * Returns true if the two parameter names are equal. + * Returns: true if the two parameter names are equal. * Dashes (-) are considered equal to underscores (_). */ extern bool parameq(const char *name1, const char *name2); @@ -402,6 +402,10 @@ extern bool parameq(const char *name1, const char *name2); * @n: the length to compare * * Similar to parameq(), except it compares @n characters. + * + * Returns: true if the first @n characters of the two parameter names + * are equal. + * Dashes (-) are considered equal to underscores (_). */ extern bool parameqn(const char *name1, const char *name2, size_t n); -- cgit v1.2.3 From 25b66674b1036c1eb3069bf62329a9c60850d782 Mon Sep 17 00:00:00 2001 From: Yury Norov Date: Thu, 15 Jan 2026 23:25:05 -0500 Subject: moduleparam: include required headers explicitly The following patch drops moduleparam.h dependency on kernel.h. In preparation to it, list all the required headers explicitly. Link: https://lkml.kernel.org/r/20260116042510.241009-3-ynorov@nvidia.com Signed-off-by: Yury Norov Suggested-by: Petr Pavlu Reviewed-by: Petr Pavlu Reviewed-by: Andy Shevchenko Reviewed-by: Joel Fernandes Cc: Aaron Tomlin Cc: Andi Shyti Cc: Christophe Leroy (CS GROUP) Cc: Greg Kroah-Hartman Cc: Jani Nikula Cc: Randy Dunlap Cc: Steven Rostedt (Google) Signed-off-by: Andrew Morton --- include/linux/moduleparam.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'include/linux/moduleparam.h') diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h index 915f32f7d888..03a977168c52 100644 --- a/include/linux/moduleparam.h +++ b/include/linux/moduleparam.h @@ -2,9 +2,14 @@ #ifndef _LINUX_MODULE_PARAMS_H #define _LINUX_MODULE_PARAMS_H /* (C) Copyright 2001, 2002 Rusty Russell IBM Corporation */ + +#include +#include +#include #include #include #include +#include /* * The maximum module name length, including the NUL byte. -- cgit v1.2.3 From 90ddd39b881df74b14918cee031154f6ddb7af33 Mon Sep 17 00:00:00 2001 From: Yury Norov Date: Thu, 15 Jan 2026 23:25:06 -0500 Subject: kernel.h: move VERIFY_OCTAL_PERMISSIONS() to sysfs.h The macro is related to sysfs, but is defined in kernel.h. Move it to the proper header, and unload the generic kernel.h. Now that the macro is removed from kernel.h, linux/moduleparam.h is decoupled, and kernel.h inclusion can be removed. Link: https://lkml.kernel.org/r/20260116042510.241009-4-ynorov@nvidia.com Signed-off-by: Yury Norov Acked-by: Randy Dunlap Tested-by: Randy Dunlap Reviewed-by: Andy Shevchenko Reviewed-by: Petr Pavlu Acked-by: Greg Kroah-Hartman Reviewed-by: Joel Fernandes Cc: Aaron Tomlin Cc: Andi Shyti Cc: Christophe Leroy (CS GROUP) Cc: Jani Nikula Cc: Steven Rostedt (Google) Signed-off-by: Andrew Morton --- Documentation/filesystems/sysfs.rst | 2 +- include/linux/kernel.h | 12 ------------ include/linux/moduleparam.h | 2 +- include/linux/sysfs.h | 13 +++++++++++++ 4 files changed, 15 insertions(+), 14 deletions(-) (limited to 'include/linux/moduleparam.h') diff --git a/Documentation/filesystems/sysfs.rst b/Documentation/filesystems/sysfs.rst index 2703c04af7d0..ffcef4d6bc8d 100644 --- a/Documentation/filesystems/sysfs.rst +++ b/Documentation/filesystems/sysfs.rst @@ -120,7 +120,7 @@ is equivalent to doing:: .store = store_foo, }; -Note as stated in include/linux/kernel.h "OTHER_WRITABLE? Generally +Note as stated in include/linux/sysfs.h "OTHER_WRITABLE? Generally considered a bad idea." so trying to set a sysfs file writable for everyone will fail reverting to RO mode for "Others". diff --git a/include/linux/kernel.h b/include/linux/kernel.h index cefe733a0c10..09850b26061c 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -388,16 +388,4 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { } # define REBUILD_DUE_TO_DYNAMIC_FTRACE #endif -/* Permissions on a sysfs file: you didn't miss the 0 prefix did you? */ -#define VERIFY_OCTAL_PERMISSIONS(perms) \ - (BUILD_BUG_ON_ZERO((perms) < 0) + \ - BUILD_BUG_ON_ZERO((perms) > 0777) + \ - /* USER_READABLE >= GROUP_READABLE >= OTHER_READABLE */ \ - BUILD_BUG_ON_ZERO((((perms) >> 6) & 4) < (((perms) >> 3) & 4)) + \ - BUILD_BUG_ON_ZERO((((perms) >> 3) & 4) < ((perms) & 4)) + \ - /* USER_WRITABLE >= GROUP_WRITABLE */ \ - BUILD_BUG_ON_ZERO((((perms) >> 6) & 2) < (((perms) >> 3) & 2)) + \ - /* OTHER_WRITABLE? Generally considered a bad idea. */ \ - BUILD_BUG_ON_ZERO((perms) & 2) + \ - (perms)) #endif diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h index 03a977168c52..281a006dc284 100644 --- a/include/linux/moduleparam.h +++ b/include/linux/moduleparam.h @@ -8,7 +8,7 @@ #include #include #include -#include +#include #include /* diff --git a/include/linux/sysfs.h b/include/linux/sysfs.h index c33a96b7391a..99b775f3ff46 100644 --- a/include/linux/sysfs.h +++ b/include/linux/sysfs.h @@ -808,4 +808,17 @@ static inline void sysfs_put(struct kernfs_node *kn) kernfs_put(kn); } +/* Permissions on a sysfs file: you didn't miss the 0 prefix did you? */ +#define VERIFY_OCTAL_PERMISSIONS(perms) \ + (BUILD_BUG_ON_ZERO((perms) < 0) + \ + BUILD_BUG_ON_ZERO((perms) > 0777) + \ + /* USER_READABLE >= GROUP_READABLE >= OTHER_READABLE */ \ + BUILD_BUG_ON_ZERO((((perms) >> 6) & 4) < (((perms) >> 3) & 4)) + \ + BUILD_BUG_ON_ZERO((((perms) >> 3) & 4) < ((perms) & 4)) + \ + /* USER_WRITABLE >= GROUP_WRITABLE */ \ + BUILD_BUG_ON_ZERO((((perms) >> 6) & 2) < (((perms) >> 3) & 2)) + \ + /* OTHER_WRITABLE? Generally considered a bad idea. */ \ + BUILD_BUG_ON_ZERO((perms) & 2) + \ + (perms)) + #endif /* _SYSFS_H_ */ -- cgit v1.2.3