From: Rusty Russell <rusty@rustcorp.com.au>
To: Ben Hutchings <ben@decadent.org.uk>
Cc: David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/3] module: Invalidate signatures on force-loaded modules
Date: Tue, 26 Apr 2016 20:07:24 +0930 [thread overview]
Message-ID: <8760v464gr.fsf@rustcorp.com.au> (raw)
In-Reply-To: <20160423184501.GM3348@decadent.org.uk>
Ben Hutchings <ben@decadent.org.uk> writes:
> Signing a module should only make it trusted by the specific kernel it
> was built for, not anything else. Loading a signed module meant for a
> kernel with a different ABI could have interesting effects.
> Therefore, treat all signatures as invalid when a module is
> force-loaded.
>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> Cc: stable@vger.kernel.org
> ---
> kernel/module.c | 13 +++++++++----
> 1 file changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/module.c b/kernel/module.c
> index 66426f743c29..649b1827ed15 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -2599,13 +2599,18 @@ static inline void kmemleak_load_module(const struct module *mod,
> #endif
>
> #ifdef CONFIG_MODULE_SIG
> -static int module_sig_check(struct load_info *info)
> +static int module_sig_check(struct load_info *info, int flags)
> {
> int err = -ENOKEY;
> const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
> const void *mod = info->hdr;
>
> - if (info->len > markerlen &&
> + /*
> + * Require flags == 0, as a module with version information
> + * removed is no longer the module that was signed
> + */
> + if (flags == 0 &&
This check is a bit lazy. We could have other flags in future,
so this should really be !(flags &
(MODULE_INIT_IGNORE_MODVERSIONS|MODULE_INIT_IGNORE_VERMAGIC) right?
Cheers,
Rusty.
next prev parent reply other threads:[~2016-04-26 20:36 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-23 18:44 [PATCH 0/3] Module signing and version info Ben Hutchings
2016-04-23 18:45 ` [PATCH 1/3] module: Invalidate signatures on force-loaded modules Ben Hutchings
2016-04-26 10:37 ` Rusty Russell [this message]
2016-04-26 21:00 ` Ben Hutchings
2016-04-27 23:54 ` Rusty Russell
2016-04-23 18:45 ` [PATCH 2/3] Documentation/module-signing.txt: Note need for version info if reusing a key Ben Hutchings
2016-04-23 18:45 ` [PATCH 3/3] module: Disable MODULE_FORCE_LOAD when MODULE_SIG_FORCE is enabled Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8760v464gr.fsf@rustcorp.com.au \
--to=rusty@rustcorp.com.au \
--cc=ben@decadent.org.uk \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.