lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <6cd0f597-d56e-4a20-bf6b-42cebacdd4c8@gmail.com>
Date: Mon, 25 Aug 2025 11:17:05 +0800
From: Jinchao Wang <wangjinchao600@...il.com>
To: Sami Tolvanen <samitolvanen@...gle.com>
Cc: Luis Chamberlain <mcgrof@...nel.org>, Petr Pavlu <petr.pavlu@...e.com>,
 Daniel Gomez <da.gomez@...nel.org>, linux-modules@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/5] module: Fix module_sig_check() for modules with
 ignored modversions/vermagic

On 8/23/25 03:36, Sami Tolvanen wrote:
> On Fri, Aug 22, 2025 at 5:55 AM Jinchao Wang <wangjinchao600@...il.com> wrote:
>>
>> The current signature check logic incorrectly fails modules that have
>> valid signatures when the caller specifies MODULE_INIT_IGNORE_MODVERSIONS
>> or MODULE_INIT_IGNORE_VERMAGIC flags. This happens because the code
>> treats these flags as indicating a "mangled module" and skips signature
>> verification entirely.
>>
>> The key insight is that the intent of the caller (to ignore modversions
>> or vermagic) should not affect signature verification. A module with
>> a valid signature should be verified regardless of whether the caller
>> wants to ignore versioning information.
> 
> Why would you need to ignore versions when loading signed modules?
> Here's the original series that added this check and I feel it's very
> much relevant still:
> 
> https://lore.kernel.org/lkml/20160423184421.GL3348@decadent.org.uk/
> 
> Sami

Hi Sami,

Thanks for explaining the historical context. I think there are two 
possible understandings of "ignore."

The original seems to be "do not check, but still taint the module." My 
patch was based on the understanding that "ignore" means to allow the 
module, even if it is not signed or is signed with a different key.

Given your feedback, I've decided to drop the patch for now.
-- 
Best regards,
Jinchao

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ