From: "Rusty Russell (IBM)" <rusty@au1.ibm.com>
To: David Woodhouse <dwmw2@infradead.org>
Cc: David Howells <dhowells@redhat.com>,
rusty@ozlabs.au.ibm.com, Greg KH <greg@kroah.com>,
Arjan van de Ven <arjanv@redhat.com>,
Joy Latten <latten@us.ibm.com>,
lkml - Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: Fw: signed kernel modules?
Date: Wed, 13 Oct 2004 10:11:36 +1000 [thread overview]
Message-ID: <1097626296.4013.34.camel@localhost.localdomain> (raw)
In-Reply-To: <1097570159.5788.1089.camel@baythorne.infradead.org>
On Tue, 2004-10-12 at 18:35, David Woodhouse wrote:
> We know _precisely_ what the kernel looks at -- we wrote its linker. It
> really isn't that hard.
Write the code. Then come back and tell me it "isn't that hard".
Let me make this clear: I refuse to include any solution which doesn't
protect against accidental, as well as deliberate, corruption. This
means your "canonicalization" code has to be very, very paranoid about
not trusting the data until the signature is verified. The current code
does very simple checks then completely trusts the module contents,
especially the section headers: to make signatures worth anything, your
code must not do this.
Here's the level of paranoia required for the simplest case, that of
signing the entire module. The last Howells patches I saw didn't even
do any of *this*, let alone checking the rest of the module:
+static int in_range(Elf_Ehdr *hdr,
+ unsigned long len,
+ unsigned long offset,
+ unsigned long elemsize,
+ unsigned long num)
+{
+ /* We're careful with wrap here. */
+ if (offset > len)
+ return 0;
+ if (elemsize * num / num != elemsize)
+ return 0;
+ if (elemsize * num > len - offset)
+ return 0;
+ return 1;
+}
+
+/* Lots of checking: we don't trust anything until signature matched. */
+static int check_modsig(Elf_Ehdr *hdr, unsigned long len)
+{
+ Elf_Shdr *sechdrs;
+ unsigned long i, stroff;
+
+ /* Section headers must all be in range. */
+ if (!in_range(hdr, len, hdr->e_shoff, sizeof(Elf_Shdr), hdr->e_shnum))
+ return -EINVAL;
+
+ /* Index of section which contains headers must be good. */
+ if (hdr->e_shstrndx >= hdr->e_shnum)
+ return -EINVAL;
+
+ sechdrs = (void *)hdr + hdr->e_shoff;
+ stroff = sechdrs[hdr->e_shstrndx].sh_offset;
+
+ for (i = 1; i < hdr->e_shnum; i++) {
+ if (!in_range(hdr, len, stroff+sechdrs[i].sh_name, 1,
+ sizeof("module_sig")))
+ continue;
+ if (strcmp((char *)hdr + stroff+sechdrs[i].sh_name,
+ "module_sig") != 0)
+ continue;
+ if (!in_range(hdr, len, sechdrs[i].sh_offset,
+ sechdrs[i].sh_size, 1))
+ return -EINVAL;
+ return calc_signature(hdr, len, sechdrs[i].sh_offset,
+ sechdrs[i].sh_size);
+ }
+ tainted |= TAINT_FORCED_MODULE;
+ return 0;
+}
+#else
+static int check_modsig(Elf_Ehdr *hdr, unsigned int len)
+{
+ return 0;
+}
+#endif /* CONFIG_MODULE_SIG */
+
#ifdef CONFIG_SMP
/* Number of blocks used and allocated. */
static unsigned int pcpu_num_used, pcpu_num_allocated;
@@ -1522,6 +1614,9 @@ static struct module *load_module(void _
if (len < hdr->e_shoff + hdr->e_shnum * sizeof(Elf_Shdr))
goto truncated;
+ if ((err = check_modsig(hdr, len)) != 0)
+ goto free_hdr;
+
/* Convenience variables */
sechdrs = (void *)hdr + hdr->e_shoff;
secstrings = (void *)hdr + sechdrs[hdr->e_shstrndx].sh_offset;
> > Nor do I have to re-iterate the points from the discussion for someone
> > who hasn't bothered reading it. But I did.
>
> Sorry, I didn't think the discussion had been in public. While I'm sure
> I _could_ read mail in David's inbox, I feel it would be somewhat
> impolite. It's not that I "haven't bothered". :)
Sorry, thought you were CC'd the whole time. My mistake.
Rusty.
next prev parent reply other threads:[~2004-10-13 0:12 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1096411448.3230.22.camel@localhost.localdomain>
[not found] ` <1092403984.29463.11.camel@bach>
[not found] ` <1092369784.25194.225.camel@bach>
[not found] ` <20040812092029.GA30255@devserv.devel.redhat.com>
[not found] ` <20040811211719.GD21894@kroah.com>
[not found] ` <OF4B7132F5.8BE9D947-ON87256EEB.007192D0-86256EEB.00740B23@us.ibm.com>
[not found] ` <1092097278.20335.51.camel@bach>
[not found] ` <20040810002741.GA7764@kroah.com>
[not found] ` <1092189167.22236.67.camel@bach>
[not found] ` <19388.1092301990@redhat.com>
[not found] ` <30797.1092308768@redhat.com>
[not found] ` <20040812111853.GB25950@devserv.devel.redhat.com>
[not found] ` <20040812200917.GD2952@kroah.com>
[not found] ` <26280.1092388799@redhat.com>
[not found] ` <27175.1095936746@redhat.com>
[not found] ` <30591.1096451074@redhat.com>
[not found] ` <1096544201.8043.816.camel@localhost.localdomain>
2004-10-11 15:11 ` Fw: signed kernel modules? David Howells
2004-10-11 15:15 ` David Woodhouse
2004-10-11 22:34 ` Rusty Russell (IBM)
2004-10-12 8:35 ` David Woodhouse
2004-10-12 19:08 ` Greg KH
2004-10-12 19:16 ` David Howells
2004-10-12 20:43 ` David Howells
2004-10-13 0:20 ` Rusty Russell (IBM)
2004-10-13 8:24 ` David Woodhouse
2004-10-13 0:11 ` Rusty Russell (IBM) [this message]
2004-10-13 9:16 ` David Woodhouse
2004-10-13 21:21 ` Rusty Russell (IBM)
2004-10-13 9:24 ` David Howells
2004-10-13 10:42 ` Alan Cox
2004-10-13 22:40 ` Rusty Russell (IBM)
2004-10-14 10:17 ` David Howells
2004-10-15 0:28 ` Rusty Russell (IBM)
2004-10-14 23:44 ` Alan Cox
2004-10-15 1:00 ` Rusty Russell (IBM)
2004-10-13 21:18 ` David Howells
2004-10-13 21:51 ` Roman Zippel
2004-10-14 11:12 ` David Howells
2004-10-14 12:01 ` Roman Zippel
2004-10-14 12:11 ` David Woodhouse
2004-10-14 14:22 ` Roman Zippel
2004-10-14 14:30 ` David Woodhouse
2004-10-14 21:03 ` Roman Zippel
2004-10-14 21:24 ` David Woodhouse
2004-10-14 21:36 ` Roman Zippel
2004-10-14 21:52 ` David Woodhouse
2004-10-14 22:15 ` Roman Zippel
2004-10-14 22:32 ` David Howells
2004-10-14 22:38 ` Roman Zippel
2004-10-14 12:14 ` David Howells
2004-10-14 13:08 ` Richard B. Johnson
2004-10-14 14:18 ` Geert Uytterhoeven
2004-10-14 14:25 ` Richard B. Johnson
2004-10-14 15:40 ` Richard B. Johnson
2004-10-14 15:50 ` Dave Jones
[not found] ` <Pine.LNX.4.61.0410141352590.8479@chaos.analogic.com>
2004-10-14 18:20 ` Dave Jones
2004-10-14 18:30 ` Richard B. Johnson
2004-10-14 18:46 ` Dave Jones
2004-10-14 19:03 ` Richard B. Johnson
2004-10-14 19:41 ` Geert Uytterhoeven
2004-10-14 21:13 ` Dave Jones
2004-10-18 1:56 ` Jon Masters
2004-10-13 23:01 ` Rusty Russell
2004-10-14 11:02 ` David Howells
2004-10-15 0:47 ` Rusty Russell
2004-10-14 18:09 ` David Howells
2004-10-15 11:12 ` Roman Zippel
2004-10-15 12:10 ` Richard B. Johnson
2004-10-15 12:31 ` Josh Boyer
2004-10-15 15:53 ` Gene Heskett
2004-10-15 16:17 ` Josh Boyer
2004-10-15 16:59 ` Richard B. Johnson
2004-10-15 17:08 ` David Woodhouse
2004-10-15 17:35 ` Richard B. Johnson
2004-10-15 20:56 ` Lee Revell
2004-10-15 21:18 ` Greg KH
2004-10-15 21:34 ` Chris Friesen
2004-10-15 22:08 ` Richard B. Johnson
2004-10-18 12:53 ` Richard B. Johnson
2004-10-18 13:53 ` Matthew Garrett
2004-10-18 14:09 ` Richard B. Johnson
2004-10-18 16:33 ` Greg KH
2004-10-18 17:14 ` Richard B. Johnson
2004-10-18 17:28 ` Richard B. Johnson
2004-10-15 17:46 ` Josh Boyer
2004-10-15 20:11 ` Tonnerre
2004-10-17 20:18 ` Thomas Weber
2004-10-17 20:52 ` Geert Uytterhoeven
2004-10-17 21:25 ` Thomas Weber
2004-10-15 12:48 ` Roman Zippel
2004-10-15 15:51 ` Gene Heskett
2004-10-15 14:01 ` David Woodhouse
2004-10-15 14:28 ` Roman Zippel
2004-10-15 15:54 ` Gene Heskett
2004-10-15 16:33 ` Arjan van de Ven
2004-10-14 18:44 ` Thomas Weber
2004-10-15 15:37 Chuck Ebbert
2004-10-15 16:05 ` Olivier Galibert
[not found] <fa.ghoqtmo.8nqeb0@ifi.uio.no>
[not found] ` <fa.jtpibm5.1l4ki17@ifi.uio.no>
2004-10-17 15:13 ` Bodo Eggert
2004-10-18 11:27 ` Richard B. Johnson
2004-10-23 10:19 ` Bodo Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1097626296.4013.34.camel@localhost.localdomain \
--to=rusty@au1.ibm.com \
--cc=arjanv@redhat.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=greg@kroah.com \
--cc=latten@us.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rusty@ozlabs.au.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox