user/sven/linux.git/kernel/module.c, branch v5.4.177Linux Kernel
https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v5.4.1772021-06-30T12:47:42Zmodule: limit enabling module.sig_enforce2021-06-30T12:47:42ZMimi Zoharzohar@linux.ibm.com2021-06-22T11:36:41Zurn:sha1:e2dc07ca4e0148d75963e14d2b78afc12426a487
[ Upstream commit 0c18f29aae7ce3dadd26d8ee3505d07cc982df75 ]
Irrespective as to whether CONFIG_MODULE_SIG is configured, specifying
"module.sig_enforce=1" on the boot command line sets "sig_enforce".
Only allow "sig_enforce" to be set when CONFIG_MODULE_SIG is configured.
This patch makes the presence of /sys/module/module/parameters/sig_enforce
dependent on CONFIG_MODULE_SIG=y.
Fixes: fda784e50aac ("module: export module signature enforcement status")
Reported-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Mimi Zohar <zohar@linux.ibm.com>
Tested-by: Jessica Yu <jeyu@kernel.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
modules: inherit TAINT_PROPRIETARY_MODULE2021-05-11T12:04:04ZChristoph Hellwighch@lst.de2020-07-28T21:33:33Zurn:sha1:13b0a28e6fef6643360375b40510548ba51eee59
commit 262e6ae7081df304fc625cf368d5c2cbba2bb991 upstream.
If a TAINT_PROPRIETARY_MODULE exports symbol, inherit the taint flag
for all modules importing these symbols, and don't allow loading
symbols from TAINT_PROPRIETARY_MODULE modules if the module previously
imported gplonly symbols. Add a anti-circumvention devices so people
don't accidentally get themselves into trouble this way.
Comment from Greg:
"Ah, the proven-to-be-illegal "GPL Condom" defense :)"
[jeyu: pr_info -> pr_err and pr_warn as per discussion]
Link: http://lore.kernel.org/r/20200730162957.GA22469@lst.de
Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
modules: return licensing information from find_symbol2021-05-11T12:04:04ZChristoph Hellwighch@lst.de2020-07-30T06:10:26Zurn:sha1:cd5a738e28acc126eacfc802d260ccc78ed2d147
commit ef1dac6021cc8ec5de02ce31722bf26ac4ed5523 upstream.
Report the GPLONLY status through a new argument.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
modules: rename the licence field in struct symsearch to license2021-05-11T12:04:04ZChristoph Hellwighch@lst.de2020-07-30T06:10:25Zurn:sha1:c4698910a9afc8cee7f0ade4abc867a290300f23
commit cd8732cdcc37d7077c4fa2c966b748c0662b607e upstream.
Use the same spelling variant as the rest of the file.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
modules: unexport __module_address2021-05-11T12:04:03ZChristoph Hellwighch@lst.de2020-07-30T06:10:24Zurn:sha1:7500d4999431211638ea7f3572b09bc274edeb96
commit 34e64705ad415ed7a816e60ef62b42fe6d1729d9 upstream.
__module_address is only used by built-in code.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
modules: unexport __module_text_address2021-05-11T12:04:03ZChristoph Hellwighch@lst.de2020-07-30T06:10:23Zurn:sha1:ad6d414703d7ee4fa33ebc1f0578aeff0e97bd7d
commit 3fe1e56d0e68b623dd62d8d38265d2a052e7e185 upstream.
__module_text_address is only used by built-in code.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
modules: mark each_symbol_section static2021-05-11T12:04:03ZChristoph Hellwighch@lst.de2020-07-30T06:10:22Zurn:sha1:86de29b833e6311a099ce8102411b01d03d205d8
commit a54e04914c211b5678602a46b3ede5d82ec1327d upstream.
each_symbol_section is only used inside of module.c.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
modules: mark find_symbol static2021-05-11T12:04:03ZChristoph Hellwighch@lst.de2020-07-30T06:10:21Zurn:sha1:79100b191e71c1df8a80af5ba5e5979d4e9dec6e
commit 773110470e2fa3839523384ae014f8a723c4d178 upstream.
find_symbol is only used in module.c.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
modules: mark ref_module static2021-05-11T12:04:03ZChristoph Hellwighch@lst.de2020-07-30T06:10:20Zurn:sha1:6e38daf2e5db63611fa52ba57b9089d3be1a345d
commit 7ef5264de773279b9f23b6cc8afb5addb30e970b upstream.
ref_module isn't used anywhere outside of module.c.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
module: harden ELF info handling2021-04-07T12:47:38ZFrank van der Lindenfllinden@amazon.com2021-01-14T22:21:46Zurn:sha1:05d891e76dde3e430c707dae7d85139794eeadbd
[ Upstream commit ec2a29593c83ed71a7f16e3243941ebfcf75fdf6 ]
5fdc7db644 ("module: setup load info before module_sig_check()")
moved the ELF setup, so that it was done before the signature
check. This made the module name available to signature error
messages.
However, the checks for ELF correctness in setup_load_info
are not sufficient to prevent bad memory references due to
corrupted offset fields, indices, etc.
So, there's a regression in behavior here: a corrupt and unsigned
(or badly signed) module, which might previously have been rejected
immediately, can now cause an oops/crash.
Harden ELF handling for module loading by doing the following:
- Move the signature check back up so that it comes before ELF
initialization. It's best to do the signature check to see
if we can trust the module, before using the ELF structures
inside it. This also makes checks against info->len
more accurate again, as this field will be reduced by the
length of the signature in mod_check_sig().
The module name is now once again not available for error
messages during the signature check, but that seems like
a fair tradeoff.
- Check if sections have offset / size fields that at least don't
exceed the length of the module.
- Check if sections have section name offsets that don't fall
outside the section name table.
- Add a few other sanity checks against invalid section indices,
etc.
This is not an exhaustive consistency check, but the idea is to
at least get through the signature and blacklist checks without
crashing because of corrupted ELF info, and to error out gracefully
for most issues that would have caused problems later on.
Fixes: 5fdc7db6448a ("module: setup load info before module_sig_check()")
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>