Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933715AbdDERLS (ORCPT ); Wed, 5 Apr 2017 13:11:18 -0400 Received: from mx1.redhat.com ([209.132.183.28]:50942 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933502AbdDERKv (ORCPT ); Wed, 5 Apr 2017 13:10:51 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 970462E6046 Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=dhowells@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 970462E6046 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is locked down From: David Howells To: linux-kernel@vger.kernel.org Cc: matthew.garrett@nebula.com, linux-efi@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, gregkh@linuxfoundation.org, dhowells@redhat.com, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org Date: Wed, 05 Apr 2017 18:10:41 +0100 Message-ID: <149141224171.31282.11926701357832474000.stgit@warthog.procyon.org.uk> In-Reply-To: <149141219387.31282.6648284836568938717.stgit@warthog.procyon.org.uk> References: <149141219387.31282.6648284836568938717.stgit@warthog.procyon.org.uk> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Wed, 05 Apr 2017 17:10:44 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1168 Lines: 37 From: Matthew Garrett Allowing users to write to address space makes it possible for the kernel to be subverted, avoiding module loading restrictions. Prevent this when the kernel has been locked down. Signed-off-by: Matthew Garrett Signed-off-by: David Howells --- drivers/char/mem.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index 6d9cc2d39d22..f8144049bda3 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -163,6 +163,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, if (p != *ppos) return -EFBIG; + if (kernel_is_locked_down()) + return -EPERM; + if (!valid_phys_addr_range(p, count)) return -EFAULT; @@ -513,6 +516,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ int err = 0; + if (kernel_is_locked_down()) + return -EPERM; + if (p < (unsigned long) high_memory) { unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p);