lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CABCJKuePtd00h3Z57Nj6TbG=GyeKeFgkzUBZJUT1v2_BQ9dczA@mail.gmail.com>
Date: Fri, 5 Sep 2025 08:22:56 -0700
From: Sami Tolvanen <samitolvanen@...gle.com>
To: Coder <rootuserhere@...il.com>
Cc: linux-modules@...r.kernel.org, mcgrof@...nel.org, 
	"petr.pavlu@...e.com" <petr.pavlu@...e.com>, da.gomez@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] module: harden module signature checking

Hi,

On Fri, Sep 5, 2025 at 6:38 AM Coder <rootuserhere@...il.com> wrote:
>
> From: Fidal Palamparambil <rootuserhere@...il.com>
> Date: Fri, 5 Sep 2025 17:16:01 +0400
> Subject: [PATCH] module: harden module signature checking
> Cc: mcgrof@...nel.org, petr.pavlu@...e.com, da.gomez@...nel.org, samitolvanen@...gle.com, linux-kernel@...r.kernel.org
>
> module: harden module signature checking
>
> This patch makes small defensive and style improvements to the
> module signature checker:
>
>  - avoid void * arithmetic by casting module header to const u8 *
>  - add an explicit bounds check for ms.sig_len before using it
>  - restore info->len to its original value when verification fails so
>    the loader does not observe a truncated length unexpectedly
>  - use READ_ONCE/WRITE_ONCE for sig_enforce to avoid rare SMP visibility
>    races
>
> These changes are intended to improve clarity and robustness; they do not
> change the signature verification policy or behavior.
>
> Signed-off-by: Fidal Palamparambil <rootuserhere@...il.com>
>
> ---
>
> diff --git a/kernel/module-signing.c b/kernel/module-signing.c
> index abcdef1..1234567 100644
> --- a/kernel/module-signing.c
> +++ b/kernel/module-signing.c

We used to have kernel/module_signing.c before v5.19, but I'm not sure
if kernel/module-signing.c has ever existed. How exactly did you
generate this patch?

Sami

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ