dbc4a9
From: Matthew Garrett <matthew.garrett@nebula.com>
dbc4a9
Date: Fri, 9 Mar 2012 09:28:15 -0500
dbc4a9
Subject: [PATCH] Restrict /dev/mem and /dev/kmem when module loading is
dbc4a9
 restricted
dbc4a9
dbc4a9
Allowing users to write to address space makes it possible for the kernel
dbc4a9
to be subverted, avoiding module loading restrictions. Prevent this when
dbc4a9
any restrictions have been imposed on loading modules.
dbc4a9
dbc4a9
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
dbc4a9
---
dbc4a9
 drivers/char/mem.c | 6 ++++++
dbc4a9
 1 file changed, 6 insertions(+)
dbc4a9
dbc4a9
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
dbc4a9
index cdf839f9defe..c63cf93b00eb 100644
dbc4a9
--- a/drivers/char/mem.c
dbc4a9
+++ b/drivers/char/mem.c
dbc4a9
@@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
dbc4a9
 	if (p != *ppos)
dbc4a9
 		return -EFBIG;
dbc4a9
 
dbc4a9
+	if (secure_modules())
dbc4a9
+		return -EPERM;
dbc4a9
+
dbc4a9
 	if (!valid_phys_addr_range(p, count))
dbc4a9
 		return -EFAULT;
dbc4a9
 
dbc4a9
@@ -502,6 +505,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
dbc4a9
 	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
dbc4a9
 	int err = 0;
dbc4a9
 
dbc4a9
+	if (secure_modules())
dbc4a9
+		return -EPERM;
dbc4a9
+
dbc4a9
 	if (p < (unsigned long) high_memory) {
dbc4a9
 		unsigned long to_write = min_t(unsigned long, count,
dbc4a9
 					       (unsigned long)high_memory - p);
dbc4a9
-- 
dbc4a9
1.9.3
dbc4a9