From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Dominik Czarnota <dominik.czarnota@trailofbits.com>,
Jessica Yu <jeyu@kernel.org>, Kees Cook <keescook@chromium.org>
Subject: [PATCH 4.19 49/58] module: Do not expose section addresses to non-CAP_SYSLOG
Date: Tue, 14 Jul 2020 20:44:22 +0200 [thread overview]
Message-ID: <20200714184058.596597029@linuxfoundation.org> (raw)
In-Reply-To: <20200714184056.149119318@linuxfoundation.org>
From: Kees Cook <keescook@chromium.org>
commit b25a7c5af9051850d4f3d93ca500056ab6ec724b upstream.
The printing of section addresses in /sys/module/*/sections/* was not
using the correct credentials to evaluate visibility.
Before:
# cat /sys/module/*/sections/.*text
0xffffffffc0458000
...
# capsh --drop=CAP_SYSLOG -- -c "cat /sys/module/*/sections/.*text"
0xffffffffc0458000
...
After:
# cat /sys/module/*/sections/*.text
0xffffffffc0458000
...
# capsh --drop=CAP_SYSLOG -- -c "cat /sys/module/*/sections/.*text"
0x0000000000000000
...
Additionally replaces the existing (safe) /proc/modules check with
file->f_cred for consistency.
Reported-by: Dominik Czarnota <dominik.czarnota@trailofbits.com>
Fixes: be71eda5383f ("module: Fix display of wrong module .text address")
Cc: stable@vger.kernel.org
Tested-by: Jessica Yu <jeyu@kernel.org>
Acked-by: Jessica Yu <jeyu@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/module.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -1471,8 +1471,8 @@ static ssize_t module_sect_read(struct f
if (pos != 0)
return -EINVAL;
- return sprintf(buf, "0x%px\n", kptr_restrict < 2 ?
- (void *)sattr->address : NULL);
+ return sprintf(buf, "0x%px\n",
+ kallsyms_show_value(file->f_cred) ? (void *)sattr->address : NULL);
}
static void free_sect_attrs(struct module_sect_attrs *sect_attrs)
@@ -4260,7 +4260,7 @@ static int modules_open(struct inode *in
if (!err) {
struct seq_file *m = file->private_data;
- m->private = kallsyms_show_value(current_cred()) ? NULL : (void *)8ul;
+ m->private = kallsyms_show_value(file->f_cred) ? NULL : (void *)8ul;
}
return err;
next prev parent reply other threads:[~2020-07-14 18:47 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-14 18:43 [PATCH 4.19 00/58] 4.19.133-rc1 review Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 01/58] KVM: s390: reduce number of IO pins to 1 Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 02/58] spi: spi-fsl-dspi: Adding shutdown hook Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 03/58] spi: spi-fsl-dspi: Fix lockup if device is removed during SPI transfer Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 04/58] spi: spi-fsl-dspi: use IRQF_SHARED mode to request IRQ Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 05/58] spi: spi-fsl-dspi: Fix external abort on interrupt in resume or exit paths Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 06/58] regmap: fix alignment issue Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 07/58] ARM: dts: omap4-droid4: Fix spi configuration and increase rate Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 08/58] drm/tegra: hub: Do not enable orphaned window group Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 09/58] gpu: host1x: Detach driver on unregister Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 10/58] spi: spidev: fix a race between spidev_release and spidev_remove Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 11/58] spi: spidev: fix a potential use-after-free in spidev_release() Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 12/58] ixgbe: protect ring accesses with READ- and WRITE_ONCE Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 13/58] i40e: " Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 14/58] drm: panel-orientation-quirks: Add quirk for Asus T101HA panel Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 15/58] drm: panel-orientation-quirks: Use generic orientation-data for Acer S1003 Greg Kroah-Hartman
2020-07-15 14:45 ` Pavel Machek
2020-07-14 18:43 ` [PATCH 4.19 16/58] s390/kasan: fix early pgm check handler execution Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 17/58] drm/sun4i: mixer: Call of_dma_configure if theres an IOMMU Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 18/58] cifs: update ctime and mtime during truncate Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 19/58] ARM: imx6: add missing put_device() call in imx6q_suspend_init() Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 20/58] scsi: mptscsih: Fix read sense data size Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 21/58] usb: dwc3: pci: Fix reference count leak in dwc3_pci_resume_work Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 22/58] block: release bip in a right way in error path Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 23/58] nvme-rdma: assign completion vector correctly Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 24/58] x86/entry: Increase entry_stack size to a full page Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 25/58] net: qrtr: Fix an out of bounds read qrtr_endpoint_post() Greg Kroah-Hartman
2020-07-14 18:43 ` [PATCH 4.19 26/58] drm/mediatek: Check plane visibility in atomic_update Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 27/58] net: cxgb4: fix return error value in t4_prep_fw Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 28/58] smsc95xx: check return value of smsc95xx_reset Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 29/58] smsc95xx: avoid memory leak in smsc95xx_bind Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 30/58] net: hns3: fix use-after-free when doing self test Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 31/58] ALSA: compress: fix partial_drain completion state Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 32/58] arm64: kgdb: Fix single-step exception handling oops Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 33/58] nbd: Fix memory leak in nbd_add_socket Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 34/58] cxgb4: fix all-mask IP address comparison Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 35/58] bnxt_en: fix NULL dereference in case SR-IOV configuration fails Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 36/58] net: macb: mark device wake capable when "magic-packet" property present Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 37/58] mlxsw: spectrum_router: Remove inappropriate usage of WARN_ON() Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 38/58] ALSA: opl3: fix infoleak in opl3 Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 39/58] ALSA: hda - let hs_mic be picked ahead of hp_mic Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 40/58] ALSA: usb-audio: add quirk for MacroSilicon MS2109 Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 41/58] KVM: arm64: Fix definition of PAGE_HYP_DEVICE Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 42/58] KVM: arm64: Stop clobbering x0 for HVC_SOFT_RESTART Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 43/58] KVM: x86: bit 8 of non-leaf PDPEs is not reserved Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 44/58] KVM: x86: Inject #GP if guest attempts to toggle CR4.LA57 in 64-bit mode Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 45/58] KVM: x86: Mark CR4.TSD as being possibly owned by the guest Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 46/58] kallsyms: Refactor kallsyms_show_value() to take cred Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 47/58] kernel: module: Use struct_size() helper Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 48/58] module: Refactor section attr into bin attribute Greg Kroah-Hartman
2020-07-14 18:44 ` Greg Kroah-Hartman [this message]
2020-07-14 18:44 ` [PATCH 4.19 50/58] kprobes: Do not expose probe addresses to non-CAP_SYSLOG Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 51/58] bpf: Check correct cred for CAP_SYSLOG in bpf_dump_raw_ok() Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 52/58] Revert "ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb" Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 53/58] btrfs: fix fatal extent_buffer readahead vs releasepage race Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 54/58] drm/radeon: fix double free Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 55/58] dm: use noio when sending kobject event Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 56/58] ARC: entry: fix potential EFA clobber when TIF_SYSCALL_TRACE Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 57/58] ARC: elf: use right ELF_ARCH Greg Kroah-Hartman
2020-07-14 18:44 ` [PATCH 4.19 58/58] s390/mm: fix huge pte soft dirty copying Greg Kroah-Hartman
2020-07-15 9:41 ` [PATCH 4.19 00/58] 4.19.133-rc1 review Naresh Kamboju
2020-07-15 12:39 ` Greg Kroah-Hartman
2020-07-15 10:49 ` Jon Hunter
2020-07-15 15:21 ` Shuah Khan
2020-07-15 16:42 ` Guenter Roeck
2020-07-16 7:45 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200714184058.596597029@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dominik.czarnota@trailofbits.com \
--cc=jeyu@kernel.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).