forked from rpms/kernel
		
	
		
			
				
	
	
		
			39 lines
		
	
	
		
			1.2 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			39 lines
		
	
	
		
			1.2 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| From: Matthew Garrett <matthew.garrett@nebula.com>
 | |
| Date: Fri, 9 Mar 2012 09:28:15 -0500
 | |
| Subject: [PATCH] Restrict /dev/mem and /dev/kmem when module loading is
 | |
|  restricted
 | |
| 
 | |
| Allowing users to write to address space makes it possible for the kernel
 | |
| to be subverted, avoiding module loading restrictions. Prevent this when
 | |
| any restrictions have been imposed on loading modules.
 | |
| 
 | |
| Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
 | |
| ---
 | |
|  drivers/char/mem.c | 6 ++++++
 | |
|  1 file changed, 6 insertions(+)
 | |
| 
 | |
| diff --git a/drivers/char/mem.c b/drivers/char/mem.c
 | |
| index 53fe675f9bd7..b52c88860532 100644
 | |
| --- a/drivers/char/mem.c
 | |
| +++ b/drivers/char/mem.c
 | |
| @@ -167,6 +167,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
 | |
|  	if (p != *ppos)
 | |
|  		return -EFBIG;
 | |
|  
 | |
| +	if (secure_modules())
 | |
| +		return -EPERM;
 | |
| +
 | |
|  	if (!valid_phys_addr_range(p, count))
 | |
|  		return -EFAULT;
 | |
|  
 | |
| @@ -513,6 +516,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
 | |
|  	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
 | |
|  	int err = 0;
 | |
|  
 | |
| +	if (secure_modules())
 | |
| +		return -EPERM;
 | |
| +
 | |
|  	if (p < (unsigned long) high_memory) {
 | |
|  		unsigned long to_write = min_t(unsigned long, count,
 | |
|  					       (unsigned long)high_memory - p);
 |