Eric Lee / smarc-fsl-linux-kernel

19 Jan, 2021

1 commit

  • ec2a29593   module: harden ELF info handling ... Browse Code »

    5fdc7db644 ("module: setup load info before module_sig_check()")
    moved the ELF setup, so that it was done before the signature
    check. This made the module name available to signature error
    messages.

    However, the checks for ELF correctness in setup_load_info
    are not sufficient to prevent bad memory references due to
    corrupted offset fields, indices, etc.

    So, there's a regression in behavior here: a corrupt and unsigned
    (or badly signed) module, which might previously have been rejected
    immediately, can now cause an oops/crash.

    Harden ELF handling for module loading by doing the following:

    - Move the signature check back up so that it comes before ELF
    initialization. It's best to do the signature check to see
    if we can trust the module, before using the ELF structures
    inside it. This also makes checks against info->len
    more accurate again, as this field will be reduced by the
    length of the signature in mod_check_sig().

    The module name is now once again not available for error
    messages during the signature check, but that seems like
    a fair tradeoff.

    - Check if sections have offset / size fields that at least don't
    exceed the length of the module.

    - Check if sections have section name offsets that don't fall
    outside the section name table.

    - Add a few other sanity checks against invalid section indices,
    etc.

    This is not an exhaustive consistency check, but the idea is to
    at least get through the signature and blacklist checks without
    crashing because of corrupted ELF info, and to error out gracefully
    for most issues that would have caused problems later on.

    Fixes: 5fdc7db6448a ("module: setup load info before module_sig_check()")
    Signed-off-by: Frank van der Linden
    Signed-off-by: Jessica Yu

    Frank van der Linden
     

06 Aug, 2019

1 commit

  • c8424e776   MODSIGN: Export module signature definitions ... Browse Code »

    IMA will use the module_signature format for append signatures, so export
    the relevant definitions and factor out the code which verifies that the
    appended signature trailer is valid.

    Also, create a CONFIG_MODULE_SIG_FORMAT option so that IMA can select it
    and be able to use mod_check_sig() without having to depend on either
    CONFIG_MODULE_SIG or CONFIG_MODULES.

    s390 duplicated the definition of struct module_signature so now they can
    use the new header instead.

    Signed-off-by: Thiago Jung Bauermann
    Acked-by: Jessica Yu
    Reviewed-by: Philipp Rudo
    Cc: Heiko Carstens
    Signed-off-by: Mimi Zohar

    Thiago Jung Bauermann