On Tue, 2016-04-26 at 20:07 +0930, Rusty Russell wrote: > Ben Hutchings <[email protected]> writes: > > > > Signing a module should only make it trusted by the specific kernel it > > was built for, not anything else. Loading a signed module meant for a > > kernel with a different ABI could have interesting effects. > > Therefore, treat all signatures as invalid when a module is > > force-loaded. > > > > Signed-off-by: Ben Hutchings <[email protected]> > > Cc: [email protected] > > --- > > kernel/module.c | 13 +++++++++---- > > 1 file changed, 9 insertions(+), 4 deletions(-) > > > > diff --git a/kernel/module.c b/kernel/module.c > > index 66426f743c29..649b1827ed15 100644 > > --- a/kernel/module.c > > +++ b/kernel/module.c > > @@ -2599,13 +2599,18 @@ static inline void kmemleak_load_module(const > > struct module *mod, > > #endif > > > > #ifdef CONFIG_MODULE_SIG > > -static int module_sig_check(struct load_info *info) > > +static int module_sig_check(struct load_info *info, int flags) > > { > > int err = -ENOKEY; > > const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; > > const void *mod = info->hdr; > > > > - if (info->len > markerlen && > > + /* > > + * Require flags == 0, as a module with version information > > + * removed is no longer the module that was signed > > + */ > > + if (flags == 0 && > This check is a bit lazy. We could have other flags in future, > so this should really be !(flags & > (MODULE_INIT_IGNORE_MODVERSIONS|MODULE_INIT_IGNORE_VERMAGIC) right?
Yes we could, but I'd prefer this to fail-safe in case no-one thinks
about whether it should be updated then.
Ben.
--
Ben Hutchings
The generation of random numbers is too important to be left to chance.
- Robert Coveyou
signature.asc
Description: This is a digitally signed message part
