+++ Kees Cook [02/07/20 16:26 -0700]:
The printing of section addresses in /sys/module/*/sections/* was not
using the correct credentials to evaluate visibility.
Before:
# cat /sys/module/*/sections/.*text
0xffffffffc0458000
...
# capsh --drop=CAP_SYSLOG -- -c "cat /sys/module/*/sections/.*text"
0xffffffffc0458000
...
After:
# cat /sys/module/*/sections/*.text
0xffffffffc0458000
...
# capsh --drop=CAP_SYSLOG -- -c "cat /sys/module/*/sections/.*text"
0x0000000000000000
...
Additionally replaces the existing (safe) /proc/modules check with
file->f_cred for consistency.
Cc: stable@xxxxxxxxxxxxxxx
Reported-by: Dominik Czarnota <dominik.czarnota@xxxxxxxxxxxxxxx>
Fixes: be71eda5383f ("module: Fix display of wrong module .text address")
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
Tested-by: Jessica Yu <jeyu@xxxxxxxxxx>
Acked-by: Jessica Yu <jeyu@xxxxxxxxxx>
