From: Mimi Zohar
stable inclusion
from linux-4.19.196
commit ff660863628fb144badcb3395cde7821c82c13a6
category: bugfix
issue: #I42HL9
CVE: CVE-2021-35039
--------------------------------
[ Upstream commit 0c18f29aae7ce3dadd26d8ee3505d07cc982df75 ]
Irrespective as to whether CONFIG_MODULE_SIG is configured, specifying
"module.sig_enforce=1" on the boot command line sets "sig_enforce".
Only allow "sig_enforce" to be set when CONFIG_MODULE_SIG is configured.
This patch makes the presence of /sys/module/module/parameters/sig_enforce
dependent on CONFIG_MODULE_SIG=y.
Fixes: fda784e50aac ("module: export module signature enforcement status")
Reported-by: Nayna Jain
Tested-by: Mimi Zohar
Tested-by: Jessica Yu
Signed-off-by: Mimi Zohar
Signed-off-by: Jessica Yu
Signed-off-by: Linus Torvalds
Signed-off-by: Sasha Levin
Signed-off-by: Yang Yingliang
Signed-off-by: Yu Changchun
---
kernel/module.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/kernel/module.c b/kernel/module.c
index d05e1bfdd..efa25f7b3 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -268,9 +268,18 @@ static void module_assert_mutex_or_preempt(void)
#endif
}
+#ifdef CONFIG_MODULE_SIG
static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
module_param(sig_enforce, bool_enable_only, 0644);
+void set_module_sig_enforced(void)
+{
+ sig_enforce = true;
+}
+#else
+#define sig_enforce false
+#endif
+
/*
* Export sig_enforce kernel cmdline parameter to allow other subsystems rely
* on that instead of directly to CONFIG_MODULE_SIG_FORCE config.
--
2.22.0
