Re: [PATCH 3/5] module: Do not expose section addresses to non-CAP_SYSLOG

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

+++ Kees Cook [02/07/20 16:26 -0700]:

The printing of section addresses in /sys/module/*/sections/* was not
using the correct credentials to evaluate visibility.

Before:

# cat /sys/module/*/sections/.*text
0xffffffffc0458000
...
# capsh --drop=CAP_SYSLOG -- -c "cat /sys/module/*/sections/.*text"
0xffffffffc0458000
...

After:

# cat /sys/module/*/sections/*.text
0xffffffffc0458000
...
# capsh --drop=CAP_SYSLOG -- -c "cat /sys/module/*/sections/.*text"
0x0000000000000000
...

Additionally replaces the existing (safe) /proc/modules check with
file->f_cred for consistency.

Cc: stable@xxxxxxxxxxxxxxx
Reported-by: Dominik Czarnota <dominik.czarnota@xxxxxxxxxxxxxxx>
Fixes: be71eda5383f ("module: Fix display of wrong module .text address")
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>


Tested-by: Jessica Yu <jeyu@xxxxxxxxxx>
Acked-by: Jessica Yu <jeyu@xxxxxxxxxx>
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux