Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753816AbcDZUgQ (ORCPT ); Tue, 26 Apr 2016 16:36:16 -0400 Received: from ozlabs.org ([103.22.144.67]:57374 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752698AbcDZUgK (ORCPT ); Tue, 26 Apr 2016 16:36:10 -0400 From: Rusty Russell To: Ben Hutchings Cc: David Howells , David Woodhouse , keyrings@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/3] module: Invalidate signatures on force-loaded modules In-Reply-To: <20160423184501.GM3348@decadent.org.uk> References: <20160423184421.GL3348@decadent.org.uk> <20160423184501.GM3348@decadent.org.uk> User-Agent: Notmuch/0.21 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu) Date: Tue, 26 Apr 2016 20:07:24 +0930 Message-ID: <8760v464gr.fsf@rustcorp.com.au> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1410 Lines: 41 Ben Hutchings writes: > Signing a module should only make it trusted by the specific kernel it > was built for, not anything else. Loading a signed module meant for a > kernel with a different ABI could have interesting effects. > Therefore, treat all signatures as invalid when a module is > force-loaded. > > Signed-off-by: Ben Hutchings > Cc: stable@vger.kernel.org > --- > kernel/module.c | 13 +++++++++---- > 1 file changed, 9 insertions(+), 4 deletions(-) > > diff --git a/kernel/module.c b/kernel/module.c > index 66426f743c29..649b1827ed15 100644 > --- a/kernel/module.c > +++ b/kernel/module.c > @@ -2599,13 +2599,18 @@ static inline void kmemleak_load_module(const struct module *mod, > #endif > > #ifdef CONFIG_MODULE_SIG > -static int module_sig_check(struct load_info *info) > +static int module_sig_check(struct load_info *info, int flags) > { > int err = -ENOKEY; > const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; > const void *mod = info->hdr; > > - if (info->len > markerlen && > + /* > + * Require flags == 0, as a module with version information > + * removed is no longer the module that was signed > + */ > + if (flags == 0 && This check is a bit lazy. We could have other flags in future, so this should really be !(flags & (MODULE_INIT_IGNORE_MODVERSIONS|MODULE_INIT_IGNORE_VERMAGIC) right? Cheers, Rusty.