Hi Linus, Please pull this kallsyms_show_value() refactoring for v5.8-rc5. I'm not delighted by the timing of getting these changes to you, but it does fix a handful of kernel address exposures, and no one has screamed yet at the patches nor their existence in -next for a few days. Folks have reviewed (and even tested!) the series. :) (I'm leaving the more experimental current_cred() WARN() stuff for later, obviously.) Thanks! -Kees The following changes since commit 48778464bb7d346b47157d21ffde2af6b2d39110: Linux 5.8-rc2 (2020-06-21 15:45:29 -0700) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/kallsyms_show_value-v5.8-rc5 for you to fetch changes up to 2c79583927bb8154ecaa45a67dde97661d895ecd: selftests: kmod: Add module address visibility test (2020-07-08 16:01:36 -0700) ---------------------------------------------------------------- Refactor kallsyms_show_value() users for correct cred Several users of kallsyms_show_value() were performing checks not during "open". Refactor everything needed to gain proper checks against file->f_cred for modules, kprobes, and bpf. ---------------------------------------------------------------- Kees Cook (6): kallsyms: Refactor kallsyms_show_value() to take cred module: Refactor section attr into bin attribute module: Do not expose section addresses to non-CAP_SYSLOG kprobes: Do not expose probe addresses to non-CAP_SYSLOG bpf: Check correct cred for CAP_SYSLOG in bpf_dump_raw_ok() selftests: kmod: Add module address visibility test include/linux/filter.h | 4 +-- include/linux/kallsyms.h | 5 ++-- kernel/bpf/syscall.c | 37 +++++++++++++++----------- kernel/kallsyms.c | 17 +++++++----- kernel/kprobes.c | 4 +-- kernel/module.c | 51 +++++++++++++++++++----------------- net/core/sysctl_net_core.c | 2 +- tools/testing/selftests/kmod/kmod.sh | 36 +++++++++++++++++++++++++ 8 files changed, 103 insertions(+), 53 deletions(-) -- Kees Cook
