module: Invalidate signatures on force-loaded modules

2016-04-23 20:48:33 +02:00 · 2016-04-23 20:48:33 +02:00 · dff5585589
parent 5f6cfd0660
commit dff5585589
2 changed files with 59 additions and 0 deletions
--- a/debian/patches/bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch
+++ b/debian/patches/bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch
@ -0,0 +1,58 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 17 Apr 2016 22:59:03 +0100
+Subject: module: Invalidate signatures on force-loaded modules
+Forwarded: http://mid.gmane.org/20160423184501.GM3348@decadent.org.uk
+
+Signing a module should only make it trusted by the specific kernel it
+was built for, not anything else.  Loading a signed module meant for a
+kernel with a different ABI could have interesting effects.
+Therefore, treat all signatures as invalid when a module is
+force-loaded.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: stable@vger.kernel.org
+---
+ kernel/module.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/kernel/module.c
+++ b/kernel/module.c
+@@ -2597,13 +2597,18 @@ static inline void kmemleak_load_module(
+ #endif
+ 
+ #ifdef CONFIG_MODULE_SIG
+-static int module_sig_check(struct load_info *info)
+static int module_sig_check(struct load_info *info, int flags)
+ {
+ 	int err = -ENOKEY;
+ 	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
+ 	const void *mod = info->hdr;
+ 
+-	if (info->len > markerlen &&
+	/*
+	 * Require flags == 0, as a module with version information
+	 * removed is no longer the module that was signed
+	 */
+	if (flags == 0 &&
+	    info->len > markerlen &&
+ 	    memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
+ 		/* We truncate the module to discard the signature */
+ 		info->len -= markerlen;
+@@ -2622,7 +2627,7 @@ static int module_sig_check(struct load_
+ 	return err;
+ }
+ #else /* !CONFIG_MODULE_SIG */
+-static int module_sig_check(struct load_info *info)
+static int module_sig_check(struct load_info *info, int flags)
+ {
+ 	return 0;
+ }
+@@ -3429,7 +3434,7 @@ static int load_module(struct load_info
+ 	long err;
+ 	char *after_dashes;
+ 
+-	err = module_sig_check(info);
+	err = module_sig_check(info, flags);
+ 	if (err)
+ 		goto free_copy;
+ 
--- a/debian/patches/series
+++ b/debian/patches/series
@ -149,3 +149,4 @@ bugfix/all/tools-lib-traceevent-fix-use-of-uninitialized-variables.patch
 bugfix/all/scripts-fix-x.509-pem-support-in-sign-file.patch
 bugfix/arm/arm-dts-kirkwood-fix-sd-slot-default-configuration-f.patch
 bugfix/all/atl2-disable-unimplemented-scatter-gather-feature.patch
+bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch