lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <87potumgqa.fsf@rustcorp.com.au>
Date:	Wed, 13 Apr 2016 11:07:17 +0930
From:	Rusty Russell <rusty@...tcorp.com.au>
To:	Libor Pechacek <lpechacek@...e.com>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] module: Issue warnings when tainting kernel

Libor Pechacek <lpechacek@...e.com> writes:
> While most of the locations where a kernel taint bit is set are accompanied
> with a warning message, there are two which set their bits silently.  If
> the tainting module gets unloaded later on, it is almost impossible to tell
> what was the reason for setting the flag.
>
> Signed-off-by: Libor Pechacek <lpechacek@...e.com>

Applied, thanks!

Cheers,
Rusty.

> ---
>  kernel/module.c | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/module.c b/kernel/module.c
> index 041200ca4a2d..e2d83d77a0e9 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -2812,8 +2812,12 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
>  		return -ENOEXEC;
>  	}
>  
> -	if (!get_modinfo(info, "intree"))
> +	if (!get_modinfo(info, "intree")) {
> +		if (!test_taint(TAINT_OOT_MODULE))
> +			pr_warn("%s: loading out-of-tree module taints kernel.\n",
> +				mod->name);
>  		add_taint_module(mod, TAINT_OOT_MODULE, LOCKDEP_STILL_OK);
> +	}
>  
>  	if (get_modinfo(info, "staging")) {
>  		add_taint_module(mod, TAINT_CRAP, LOCKDEP_STILL_OK);
> @@ -2978,6 +2982,8 @@ static int move_module(struct module *mod, struct load_info *info)
>  
>  static int check_module_license_and_versions(struct module *mod)
>  {
> +	int prev_taint = test_taint(TAINT_PROPRIETARY_MODULE);
> +
>  	/*
>  	 * ndiswrapper is under GPL by itself, but loads proprietary modules.
>  	 * Don't use add_taint_module(), as it would prevent ndiswrapper from
> @@ -2996,6 +3002,9 @@ static int check_module_license_and_versions(struct module *mod)
>  		add_taint_module(mod, TAINT_PROPRIETARY_MODULE,
>  				 LOCKDEP_NOW_UNRELIABLE);
>  
> +	if (!prev_taint && test_taint(TAINT_PROPRIETARY_MODULE))
> +		pr_warn("%s: module license taints kernel.\n", mod->name);
> +
>  #ifdef CONFIG_MODVERSIONS
>  	if ((mod->num_syms && !mod->crcs)
>  	    || (mod->num_gpl_syms && !mod->gpl_crcs)
> -- 
> 1.7.12.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ