Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2480727pxb; Mon, 18 Jan 2021 20:39:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJz2ZVUPwKbulwu+aQxxzdmUUud2Ib4k8QtU3LHRz+6Sadg5sraErwIhFn93vENDiWVlqGFi X-Received: by 2002:a05:6402:22e9:: with SMTP id dn9mr1911539edb.61.1611031172607; Mon, 18 Jan 2021 20:39:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611031172; cv=none; d=google.com; s=arc-20160816; b=NTXz2T8OlcZI8v593SWvlJYVO9JK+UKe5980Tn0Pxp6xYmKrhCK5e/5nsuARY1vAIh QHD9g7w6Be6qJ031D5TyMeZWsvhDNHJ96uTpbk2IcR9fkdBi4UpNLFsY2ZAA192KQXmY 7jRAjbyUD39hSJkkKWOanpDt/HZ5ij9uFMVI00b9nC7c/h3I5xb/wmJvGxgx11z/mZBV cTivWj0cWDLQnC3fhsPwqv2fwn2d5xcyLBDHVSJT60cOnmHkA7BwjfvmIs9NeFyZ2ZIh dA94L//Y4z3XkBponZeubojMQw+glLroV+ijju7catVC3muhtqGNUOvlkhY2xVzshLwp n2kg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=WvhaDvsJ/kVhxVANKvasS7N3yfWlXRErzQ+TEs+UQ2U=; b=sZiFOusmG9murLumVAw5DrvpIfO+vi7YQycepm/ODldjvSBzhVWnxvfRpgHaWBNWrJ Z0RgtDVbkIkZHzxHEqaYXG82UC8lXoiSRlEu129KcC0rqmqYVtHZeZT49MaDdD1hzyx2 StNZUPyBVYq1dli5iiAHfHB4gNonjDioy7X9Uem867tD9TdLIAFmpFBGFGZSVgA3l8XV 6hvSXrIHLRvObrtNFWcl6pkki+cvd4/88W3r0mQi12roqus6ZZFIoOsjA2v5o6Hk9V49 N2X1vlwgDYJZQ4/rKy8er+2gu66j+jEik6wulos7FEU/3mm/TLikrLV1BqvAawnTQ4Si eM3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=U1gOPdXR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c24si4391552edy.179.2021.01.18.20.39.01; Mon, 18 Jan 2021 20:39:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=U1gOPdXR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2393367AbhARPWA (ORCPT + 99 others); Mon, 18 Jan 2021 10:22:00 -0500 Received: from mail.kernel.org ([198.145.29.99]:54682 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2405685AbhARPTM (ORCPT ); Mon, 18 Jan 2021 10:19:12 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 4F62722BEA; Mon, 18 Jan 2021 15:18:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1610983112; bh=nM+lfs14ARK1bF8opGADOumEAAcUiSZcjd5lmJuVlkE=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=U1gOPdXRCIC8WKBRf95b5FLRYEkXC02veXoRz1AFE3mDTyVuBlncjPPflZiAnSdlg E3DoN5/bgVkTCto2AsOrjg8xZwvEYSCA+M8peb+9EsiRvVqAUFxqxrmHqXCxm+eLMl e19hr9xlqeqW8nMXJ1CRTBPwBsf9rkJRHKZ0DFvbA4kSgzHEyP8lkQvdyl0/RssnxE MQkrEHugk+QfSftgR9WXRtbxMrl7ocVNdhtgpDGg6B7+eo8rlSU0duHLLpIk95/tek prxaHzCTr2optVAXIloL6eNGtGv8cuDBl8bf2FjNb1Cknjlbm9Oi1eIAEkg+PO1AN1 wSENRuy9VF9Dw== Date: Mon, 18 Jan 2021 16:18:27 +0100 From: Jessica Yu To: Frank van der Linden Cc: linux-kernel@vger.kernel.org Subject: Re: [PATCH v3] module: harden ELF info handling Message-ID: <20210118151827.GA22792@linux-8ccs> References: <20210114222146.25762-1-fllinden@amazon.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20210114222146.25762-1-fllinden@amazon.com> X-OS: Linux linux-8ccs 5.8.0-rc6-lp150.12.61-default+ x86_64 User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org +++ Frank van der Linden [14/01/21 22:21 +0000]: >5fdc7db644 ("module: setup load info before module_sig_check()") >moved the ELF setup, so that it was done before the signature >check. This made the module name available to signature error >messages. > >However, the checks for ELF correctness in setup_load_info >are not sufficient to prevent bad memory references due to >corrupted offset fields, indices, etc. > >So, there's a regression in behavior here: a corrupt and unsigned >(or badly signed) module, which might previously have been rejected >immediately, can now cause an oops/crash. > >Harden ELF handling for module loading by doing the following: > >- Move the signature check back up so that it comes before ELF > initialization. It's best to do the signature check to see > if we can trust the module, before using the ELF structures > inside it. This also makes checks against info->len > more accurate again, as this field will be reduced by the > length of the signature in mod_check_sig(). > > The module name is now once again not available for error > messages during the signature check, but that seems like > a fair tradeoff. > >- Check if sections have offset / size fields that at least don't > exceed the length of the module. > >- Check if sections have section name offsets that don't fall > outside the section name table. > >- Add a few other sanity checks against invalid section indices, > etc. > >This is not an exhaustive consistency check, but the idea is to >at least get through the signature and blacklist checks without >crashing because of corrupted ELF info, and to error out gracefully >for most issues that would have caused problems later on. > >Fixes: 5fdc7db644 ("module: setup load info before module_sig_check()") >Signed-off-by: Frank van der Linden Queued on modules-next. Thanks Frank! Jessica