dbc4a9b
From: Matthew Garrett <matthew.garrett@nebula.com>
dbc4a9b
Date: Fri, 9 Mar 2012 09:28:15 -0500
dbc4a9b
Subject: [PATCH] Restrict /dev/mem and /dev/kmem when module loading is
dbc4a9b
 restricted
dbc4a9b
dbc4a9b
Allowing users to write to address space makes it possible for the kernel
dbc4a9b
to be subverted, avoiding module loading restrictions. Prevent this when
dbc4a9b
any restrictions have been imposed on loading modules.
dbc4a9b
dbc4a9b
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
dbc4a9b
---
dbc4a9b
 drivers/char/mem.c | 6 ++++++
dbc4a9b
 1 file changed, 6 insertions(+)
dbc4a9b
dbc4a9b
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
2f08a80
index efe38c1bc234..16b8af1188e1 100644
dbc4a9b
--- a/drivers/char/mem.c
dbc4a9b
+++ b/drivers/char/mem.c
f692dd0
@@ -167,6 +167,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
dbc4a9b
 	if (p != *ppos)
dbc4a9b
 		return -EFBIG;
dbc4a9b
 
dbc4a9b
+	if (secure_modules())
dbc4a9b
+		return -EPERM;
dbc4a9b
+
dbc4a9b
 	if (!valid_phys_addr_range(p, count))
dbc4a9b
 		return -EFAULT;
dbc4a9b
 
2f08a80
@@ -513,6 +516,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
dbc4a9b
 	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
dbc4a9b
 	int err = 0;
dbc4a9b
 
dbc4a9b
+	if (secure_modules())
dbc4a9b
+		return -EPERM;
dbc4a9b
+
dbc4a9b
 	if (p < (unsigned long) high_memory) {
dbc4a9b
 		unsigned long to_write = min_t(unsigned long, count,
dbc4a9b
 					       (unsigned long)high_memory - p);