Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bca014ca authored by Ben Hutchings's avatar Ben Hutchings Committed by Rusty Russell
Browse files

module: Invalidate signatures on force-loaded modules 



Signing a module should only make it trusted by the specific kernel it
was built for, not anything else.  Loading a signed module meant for a
kernel with a different ABI could have interesting effects.
Therefore, treat all signatures as invalid when a module is
force-loaded.

Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
parent 3205c36c

kernel/module.c

+9 −4
Original line number Diff line number Diff line
@@ -2686,13 +2686,18 @@ static inline void kmemleak_load_module(const struct module *mod, 
#endif



#ifdef CONFIG_MODULE_SIG

static int module_sig_check(struct load_info *info)

static int module_sig_check(struct load_info *info, int flags)

{

	int err = -ENOKEY;

	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;

	const void *mod = info->hdr;



	if (info->len > markerlen &&

	/*

	 * Require flags == 0, as a module with version information

	 * removed is no longer the module that was signed

	 */

	if (flags == 0 &&

	    info->len > markerlen &&

	    memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {

		/* We truncate the module to discard the signature */

		info->len -= markerlen;
@@ -2711,7 +2716,7 @@ static int module_sig_check(struct load_info *info) 
	return err;

}

#else /* !CONFIG_MODULE_SIG */

static int module_sig_check(struct load_info *info)

static int module_sig_check(struct load_info *info, int flags)

{

	return 0;

}
@@ -3506,7 +3511,7 @@ static int load_module(struct load_info *info, const char __user *uargs, 
	long err;

	char *after_dashes;



	err = module_sig_check(info);

	err = module_sig_check(info, flags);

	if (err)

		goto free_copy;