commit fb827ec68446c83e9e8754fa9b55aed27ecc4661
author Linus Torvalds <torvalds@linux-foundation.org> Wed May 23 17:34:09 2012 -0700
committer Linus Torvalds <torvalds@linux-foundation.org> Wed May 23 17:34:09 2012 -0700
tree e953aedce01fa1c90a8e7b591e40310c3c1e7447
parent d5b4bb4d103cd601d8009f2d3a7e44586c9ae7cc
parent ef26a5a6eadb7cd0637e1e9e246cd42505b8ec8c

Merge tag 'module-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-for-linus

Pull module patches from Rusty Russell, who really sells them:
 "Three trivial patches of no real utility.  Modules are boring."

But to make things slightly more exciting, he adds:
 "Fortunately David Howells is looking to change this, with his module
  signing patchset.  But that's for next merge window...

  Cheers,
  Rusty."

* tag 'module-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-for-linus:
  Guard check in module loader against integer overflow
  modpost: use proper kernel style for autogenerated files
  modpost: Stop grab_file() from leaking filedescriptors if fstat() fails

kernel/module.c

diff --git a/kernel/module.c b/kernel/module.c
index a4e6097..4edbd9c 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2429,7 +2429,8 @@
 		goto free_hdr;
 	}
 
-	if (len < hdr->e_shoff + hdr->e_shnum * sizeof(Elf_Shdr)) {
+	if (hdr->e_shoff >= len ||
+	    hdr->e_shnum * sizeof(Elf_Shdr) > len - hdr->e_shoff) {
 		err = -ENOEXEC;
 		goto free_hdr;
 	}

scripts/mod/modpost.c

diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index c4e7d15..0f84bb3 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -337,17 +337,20 @@
 void *grab_file(const char *filename, unsigned long *size)
 {
 	struct stat st;
-	void *map;
+	void *map = MAP_FAILED;
 	int fd;
 
 	fd = open(filename, O_RDONLY);
-	if (fd < 0 || fstat(fd, &st) != 0)
+	if (fd < 0)
 		return NULL;
+	if (fstat(fd, &st))
+		goto failed;
 
 	*size = st.st_size;
 	map = mmap(NULL, *size, PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0);
-	close(fd);
 
+failed:
+	close(fd);
 	if (map == MAP_FAILED)
 		return NULL;
 	return map;
@@ -1850,14 +1853,14 @@
 	buf_printf(b, "\n");
 	buf_printf(b, "struct module __this_module\n");
 	buf_printf(b, "__attribute__((section(\".gnu.linkonce.this_module\"))) = {\n");
-	buf_printf(b, " .name = KBUILD_MODNAME,\n");
+	buf_printf(b, "\t.name = KBUILD_MODNAME,\n");
 	if (mod->has_init)
-		buf_printf(b, " .init = init_module,\n");
+		buf_printf(b, "\t.init = init_module,\n");
 	if (mod->has_cleanup)
 		buf_printf(b, "#ifdef CONFIG_MODULE_UNLOAD\n"
-			      " .exit = cleanup_module,\n"
+			      "\t.exit = cleanup_module,\n"
 			      "#endif\n");
-	buf_printf(b, " .arch = MODULE_ARCH_INIT,\n");
+	buf_printf(b, "\t.arch = MODULE_ARCH_INIT,\n");
 	buf_printf(b, "};\n");
 }