lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250822125454.1287066-2-wangjinchao600@gmail.com>
Date: Fri, 22 Aug 2025 20:54:50 +0800
From: Jinchao Wang <wangjinchao600@...il.com>
To: Luis Chamberlain <mcgrof@...nel.org>,
	Petr Pavlu <petr.pavlu@...e.com>,
	Daniel Gomez <da.gomez@...nel.org>,
	Sami Tolvanen <samitolvanen@...gle.com>,
	linux-modules@...r.kernel.org,
	linux-kernel@...r.kernel.org
Cc: Jinchao Wang <wangjinchao600@...il.com>
Subject: [PATCH 1/5] module: Fix module_sig_check() for modules with ignored modversions/vermagic

The current signature check logic incorrectly fails modules that have
valid signatures when the caller specifies MODULE_INIT_IGNORE_MODVERSIONS
or MODULE_INIT_IGNORE_VERMAGIC flags. This happens because the code
treats these flags as indicating a "mangled module" and skips signature
verification entirely.

The key insight is that the intent of the caller (to ignore modversions
or vermagic) should not affect signature verification. A module with
a valid signature should be verified regardless of whether the caller
wants to ignore versioning information.

The signature represents the authenticity and integrity of the module
content, which is independent of version compatibility checks. By
removing the mangled_module check, we allow signature verification to
proceed for modules that have both valid signatures and are being loaded
with version checking disabled.

This fixes cases where modules with correct signatures were being
rejected when loaded with modversions or vermagic ignored, even though
the signature itself was valid and should have been verified.

Signed-off-by: Jinchao Wang <wangjinchao600@...il.com>
---
 kernel/module/signing.c | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index a2ff4242e623..9e24c79499de 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -73,15 +73,10 @@ int module_sig_check(struct load_info *info, int flags)
 	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
 	const char *reason;
 	const void *mod = info->hdr;
-	bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |
-				       MODULE_INIT_IGNORE_VERMAGIC);
-	/*
-	 * Do not allow mangled modules as a module with version information
-	 * removed is no longer the module that was signed.
-	 */
-	if (!mangled_module &&
-	    info->len > markerlen &&
-	    memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
+
+	if (info->len > markerlen &&
+	    memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) ==
+		    0) {
 		/* We truncate the module to discard the signature */
 		info->len -= markerlen;
 		err = mod_verify_sig(mod, info);
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ