Null pointer

1. #include <linux/module.h>
2. #include <linux/kernel.h>
3. #include <linux/init.h>
4. #include <linux/string.h>
5.  
6. // Declare module parameters with explicit parameter types
7. static int input_value = 0;
8. static char *input_string = NULL;
9.  
10. // Use module_param_string for string parameter to ensure proper handling
11. module_param(input_value, int, 0644);
12. MODULE_PARM_DESC(input_value, "An integer input value");
13.  
14. module_param(input_string, charp, 0644);
15. MODULE_PARM_DESC(input_string, "A string input parameter");
16.  
17. // Intentionally declare a NULL pointer to demonstrate vulnerability
18. static int *dangerous_ptr = NULL;
19.  
20. // Module initialization function with user input and null pointer dereference
21. static int __init vulnerable_init(void)
22. {
23. // Print out the user-supplied input values with explicit NULL checks
24. printk(KERN_INFO "Vulnerable Kernel Module Loaded\n");
25.  
26. // Safe integer parameter handling
27. printk(KERN_INFO "Input Value: %d\n", input_value);
28.  
29. // Safe string parameter handling
30. if (input_string) {
31. printk(KERN_INFO "Input String: %s\n", input_string);
32. } else {
33. printk(KERN_WARNING "No string input provided\n");
34. }
35.  
36. // VULNERABILITY: Conditional null pointer dereference
37. // This will cause a kernel panic if the conditions are met
38. if (input_value > 10) {
39. printk(KERN_ALERT "Attempting dangerous pointer dereference\n");
40.  
41. // This will cause a kernel panic if input_value > 10
42. // Dereferencing the NULL pointer
43. if (dangerous_ptr) {
44. *dangerous_ptr = input_value; // Deliberate null pointer dereference
45. } else {
46. printk(KERN_ERR "Error: dangerous_ptr is NULL\n");
47. }
48. }
49.  
50. return 0;
51. }
52.  
53. // Module cleanup function
54. static void __exit vulnerable_exit(void)
55. {
56. printk(KERN_INFO "Vulnerable Kernel Module Unloaded\n");
57. }
58.  
59. // Macro declarations for kernel module
60. module_init(vulnerable_init);
61. module_exit(vulnerable_exit);
62.  
63. MODULE_LICENSE("GPL");
64. MODULE_AUTHOR("Security Research");
65. MODULE_DESCRIPTION("Kernel Module with User Input and Null Pointer Dereference");
66.  
67. ////////
68. #include <linux/module.h>
69. #include <linux/kernel.h>
70. #include <linux/init.h>
71. #include <linux/string.h>
72. #include <linux/slab.h>
73.  
74. // Module parameters for user input
75. static char *input_buffer = NULL;
76. module_param(input_buffer, charp, 0644);
77. MODULE_PARM_DESC(input_buffer, "Input buffer to demonstrate stack overflow");
78.  
79. // Vulnerable function with fixed-size stack buffer
80. static void vulnerable_copy_function(void)
81. {
82. // VULNERABILITY: Fixed-size stack buffer
83. // This buffer is allocated on the kernel stack
84. char local_buffer[64];
85.  
86. // Unsafe copy without length checking
87. // This can cause stack overflow if input is longer than buffer
88. if (input_buffer) {
89. printk(KERN_INFO "Attempting to copy input: %s\n", input_buffer);
90.  
91. // DANGEROUS: Potential stack overflow
92. // strcpy does not check buffer bounds, which can overflow the buffer
93. strcpy(local_buffer, input_buffer); // This is where the overflow can happen
94.  
95. printk(KERN_INFO "Copied buffer: %s\n", local_buffer); // Will print corrupted data if overflow occurs
96. }
97. }
98.  
99. // Module initialization function
100. static int __init stack_overflow_init(void)
101. {
102. printk(KERN_INFO "Stack Overflow Vulnerability Module Loaded\n");
103.  
104. // Call the vulnerable function
105. vulnerable_copy_function();
106.  
107. return 0;
108. }
109.  
110. // Module cleanup function
111. static void __exit stack_overflow_exit(void)
112. {
113. printk(KERN_INFO "Stack Overflow Module Unloaded\n");
114. }
115.  
116. // Macro declarations for kernel module
117. module_init(stack_overflow_init);
118. module_exit(stack_overflow_exit);
119.  
120. MODULE_LICENSE("GPL");
121. MODULE_AUTHOR("Security Research");
122. MODULE_DESCRIPTION("Kernel Module Demonstrating Stack Overflow Vulnerability");
123.