2019-07-05 03:57:34 +09:00
|
|
|
// SPDX-License-Identifier: GPL-2.0+
|
|
|
|
|
/*
|
|
|
|
|
* Module signature checker
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
|
|
|
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <linux/errno.h>
|
|
|
|
|
#include <linux/printk.h>
|
|
|
|
|
#include <linux/module_signature.h>
|
|
|
|
|
#include <asm/byteorder.h>
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* mod_check_sig - check that the given signature is sane
|
|
|
|
|
*
|
|
|
|
|
* @ms: Signature to check.
|
|
|
|
|
* @file_len: Size of the file to which @ms is appended.
|
|
|
|
|
* @name: What is being checked. Used for error messages.
|
|
|
|
|
*/
|
|
|
|
|
int mod_check_sig(const struct module_signature *ms, size_t file_len,
|
|
|
|
|
const char *name)
|
|
|
|
|
{
|
|
|
|
|
if (be32_to_cpu(ms->sig_len) >= file_len - sizeof(*ms))
|
|
|
|
|
return -EBADMSG;
|
|
|
|
|
|
|
|
|
|
if (ms->id_type != PKEY_ID_PKCS7) {
|
module: harden ELF info handling
[ Upstream commit ec2a29593c83ed71a7f16e3243941ebfcf75fdf6 ]
5fdc7db644 ("module: setup load info before module_sig_check()")
moved the ELF setup, so that it was done before the signature
check. This made the module name available to signature error
messages.
However, the checks for ELF correctness in setup_load_info
are not sufficient to prevent bad memory references due to
corrupted offset fields, indices, etc.
So, there's a regression in behavior here: a corrupt and unsigned
(or badly signed) module, which might previously have been rejected
immediately, can now cause an oops/crash.
Harden ELF handling for module loading by doing the following:
- Move the signature check back up so that it comes before ELF
initialization. It's best to do the signature check to see
if we can trust the module, before using the ELF structures
inside it. This also makes checks against info->len
more accurate again, as this field will be reduced by the
length of the signature in mod_check_sig().
The module name is now once again not available for error
messages during the signature check, but that seems like
a fair tradeoff.
- Check if sections have offset / size fields that at least don't
exceed the length of the module.
- Check if sections have section name offsets that don't fall
outside the section name table.
- Add a few other sanity checks against invalid section indices,
etc.
This is not an exhaustive consistency check, but the idea is to
at least get through the signature and blacklist checks without
crashing because of corrupted ELF info, and to error out gracefully
for most issues that would have caused problems later on.
Fixes: 5fdc7db6448a ("module: setup load info before module_sig_check()")
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-01-15 07:21:46 +09:00
|
|
|
pr_err("%s: not signed with expected PKCS#7 message\n",
|
2019-07-05 03:57:34 +09:00
|
|
|
name);
|
|
|
|
|
return -ENOPKG;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ms->algo != 0 ||
|
|
|
|
|
ms->hash != 0 ||
|
|
|
|
|
ms->signer_len != 0 ||
|
|
|
|
|
ms->key_id_len != 0 ||
|
|
|
|
|
ms->__pad[0] != 0 ||
|
|
|
|
|
ms->__pad[1] != 0 ||
|
|
|
|
|
ms->__pad[2] != 0) {
|
|
|
|
|
pr_err("%s: PKCS#7 signature info has unexpected non-zero params\n",
|
|
|
|
|
name);
|
|
|
|
|
return -EBADMSG;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|