Re: [PATCH 3/5] module: Do not expose section addresses to non-CAP_SYSLOG

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+++ Kees Cook [02/07/20 16:26 -0700]:
The printing of section addresses in /sys/module/*/sections/* was not
using the correct credentials to evaluate visibility.

Before:

# cat /sys/module/*/sections/.*text
0xffffffffc0458000
...
# capsh --drop=CAP_SYSLOG -- -c "cat /sys/module/*/sections/.*text"
0xffffffffc0458000
...

After:

# cat /sys/module/*/sections/*.text
0xffffffffc0458000
...
# capsh --drop=CAP_SYSLOG -- -c "cat /sys/module/*/sections/.*text"
0x0000000000000000
...

Additionally replaces the existing (safe) /proc/modules check with
file->f_cred for consistency.

Cc: stable@xxxxxxxxxxxxxxx
Reported-by: Dominik Czarnota <dominik.czarnota@xxxxxxxxxxxxxxx>
Fixes: be71eda5383f ("module: Fix display of wrong module .text address")
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>

Tested-by: Jessica Yu <jeyu@xxxxxxxxxx>
Acked-by: Jessica Yu <jeyu@xxxxxxxxxx>




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux