diff options
author | Justin M. Forbes <jforbes@redhat.com> | 2016-12-14 12:50:48 -0600 |
---|---|---|
committer | Justin M. Forbes <jforbes@redhat.com> | 2016-12-14 12:50:48 -0600 |
commit | 962ea4f047b3b4b4360446be4289c4e4deb29551 (patch) | |
tree | 0a13142b9219114c8902cac2b45fe9c7abc96897 /x86-Restrict-MSR-access-when-module-loading-is-restr.patch | |
parent | b31b0fb7f4d47143f49fdbc50e7c0da678c0540b (diff) | |
download | kernel-962ea4f047b3b4b4360446be4289c4e4deb29551.tar.gz kernel-962ea4f047b3b4b4360446be4289c4e4deb29551.tar.xz kernel-962ea4f047b3b4b4360446be4289c4e4deb29551.zip |
Linux v4.9-7150-gcdb98c2
Diffstat (limited to 'x86-Restrict-MSR-access-when-module-loading-is-restr.patch')
-rw-r--r-- | x86-Restrict-MSR-access-when-module-loading-is-restr.patch | 44 |
1 files changed, 0 insertions, 44 deletions
diff --git a/x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/x86-Restrict-MSR-access-when-module-loading-is-restr.patch deleted file mode 100644 index 71b5b2edb..000000000 --- a/x86-Restrict-MSR-access-when-module-loading-is-restr.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 85539b332c79fbce1b9f371ff1a2a8d489e65110 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Fri, 8 Feb 2013 11:12:13 -0800 -Subject: [PATCH 09/20] x86: Restrict MSR access when module loading is - restricted - -Writing to MSRs should not be allowed if module loading is restricted, -since it could lead to execution of arbitrary code in kernel mode. Based -on a patch by Kees Cook. - -Cc: Kees Cook <keescook@chromium.org> -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - arch/x86/kernel/msr.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index 7f3550acde1b..963ba4011923 100644 ---- a/arch/x86/kernel/msr.c -+++ b/arch/x86/kernel/msr.c -@@ -83,6 +83,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, - int err = 0; - ssize_t bytes = 0; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (count % 8) - return -EINVAL; /* Invalid chunk size */ - -@@ -130,6 +133,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) - err = -EBADF; - break; - } -+ if (secure_modules()) { -+ err = -EPERM; -+ break; -+ } - if (copy_from_user(®s, uregs, sizeof regs)) { - err = -EFAULT; - break; --- -2.9.3 - |