From patchwork Mon Oct 29 14:50:03 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 990279
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 42kHZn0CXTz9s8F;
	Tue, 30 Oct 2018 01:50:25 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1gH8rt-0004e7-As; Mon, 29 Oct 2018 14:50:13 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <seth.forshee@canonical.com>)
	id 1gH8rs-0004e0-Bs
	for kernel-team@lists.ubuntu.com; Mon, 29 Oct 2018 14:50:12 +0000
Received: from mail-yb1-f199.google.com ([209.85.219.199])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <seth.forshee@canonical.com>)
	id 1gH8rs-00067o-26
	for kernel-team@lists.ubuntu.com; Mon, 29 Oct 2018 14:50:12 +0000
Received: by mail-yb1-f199.google.com with SMTP id x3-v6so6481221ybh.18
	for <kernel-team@lists.ubuntu.com>;
	Mon, 29 Oct 2018 07:50:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=Mf5+KAGR1MNp+txcPdsyGGtojkTpiTE/o3R37v9yb4Q=;
	b=Ou2XuQz2Sj7qCGBjgqqr2i82xIu1jH/3Ow6yWrgXB3LLzXdn5taTn9i4Y58+qheDFM
	sXuKvoAff+gugLQ92T2ZBlpM2Ht3RYOHTEzoHqkm6uH92dPfydAja9IWydgDFRqqVmGm
	2Skyq8HgoL4sj1I0FhbtcIQrkmF1m2FuEdAc2bgunAd9q+28EGLkVFrHNvVfXteyuNik
	AVAnlUjMXH5/7I540RV+VGyFqtCGmgyhZBeXW7x4yUuJPy3AzBhPR94oS3wW3RJKm68y
	PUIEoXfzktANQ5y9thD9HtTO06entmE/6yEeiJYzFwd4jb52Sy4tkd2hL1MbCJCi05bP
	8/sQ==
X-Gm-Message-State: AGRZ1gLXL5nJA0p19V/JvNgDu10d1qsWtT3pbiMz2rhcNhWRLS9F+onz
	Y0Tqty6akFWaGsSQI3R8y4mRGIDdRDDVDSS0JPUxBRtwjHaEGhPYasomClRWtp5t37R2TEqyWQL
	Y+bqrcNOOimiqyFOu0vqQh6mTQehUxLNtQQa0ZGiE4g==
X-Received: by 2002:a25:2c93:: with SMTP id
	s141-v6mr13891523ybs.193.1540824610615;
	Mon, 29 Oct 2018 07:50:10 -0700 (PDT)
X-Google-Smtp-Source: 
 AJdET5eZBlyLj3djfa4LIq0MAamlUmAdUfZ4JQ3fvWlEcgW4YvtSJTPLhkRZBU6fMxARYb3CF/VreQ==
X-Received: by 2002:a25:2c93:: with SMTP id
	s141-v6mr13891483ybs.193.1540824610068;
	Mon, 29 Oct 2018 07:50:10 -0700 (PDT)
Received: from localhost ([2605:a601:ac7:2a20:c113:49f2:f54f:4097])
	by smtp.gmail.com with ESMTPSA id
	o131-v6sm5100776ywb.107.2018.10.29.07.50.09
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Mon, 29 Oct 2018 07:50:09 -0700 (PDT)
From: Seth Forshee <seth.forshee@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH v2 2/2][Cosmic] UBUNTU: SAUCE: (efi-lockdown) module: remove
	support for deferring module signature verification to IMA
Date: Mon, 29 Oct 2018 09:50:03 -0500
Message-Id: <20181029145003.24178-3-seth.forshee@canonical.com>
X-Mailer: git-send-email 2.19.1
In-Reply-To: <20181029145003.24178-1-seth.forshee@canonical.com>
References: <20181029145003.24178-1-seth.forshee@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

BugLink: https://bugs.launchpad.net/bugs/1798863

Recent versions of the "secure boot lockdown" patches introduced
support for using IMA signatures for module signing instead of
the standard mechanism. This was causing issues and was removed,
but the code was missed which actually defers the verification to
IMA when IMA enforcement is enabled. With our config this means
that by default module signatures are not being enforced under
kernel lockdown.

Remove the remaining code to restore module signature enforcement
under lockdown.

CVE-2018-18653

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
---
 kernel/module.c | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/kernel/module.c b/kernel/module.c
index 9af04eebd711..a767bd326b43 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2760,8 +2760,7 @@ static inline void kmemleak_load_module(const struct module *mod,
 #endif
 
 #ifdef CONFIG_MODULE_SIG
-static int module_sig_check(struct load_info *info, int flags,
-			    bool can_do_ima_check)
+static int module_sig_check(struct load_info *info, int flags)
 {
 	int err = -ENODATA;
 	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
@@ -2803,8 +2802,6 @@ static int module_sig_check(struct load_info *info, int flags,
 			return -EKEYREJECTED;
 		}
 
-		if (can_do_ima_check && is_ima_appraise_enabled())
-			return 0;
 		if (kernel_is_locked_down(reason))
 			return -EPERM;
 		return 0;
@@ -2818,8 +2815,7 @@ static int module_sig_check(struct load_info *info, int flags,
 	}
 }
 #else /* !CONFIG_MODULE_SIG */
-static int module_sig_check(struct load_info *info, int flags,
-			    bool can_do_ima_check)
+static int module_sig_check(struct load_info *info, int flags)
 {
 	return 0;
 }
@@ -3684,13 +3680,13 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname,
 /* Allocate and load the module: note that size of section 0 is always
    zero, and we rely on this for optional sections. */
 static int load_module(struct load_info *info, const char __user *uargs,
-		       int flags, bool can_do_ima_check)
+		       int flags)
 {
 	struct module *mod;
 	long err;
 	char *after_dashes;
 
-	err = module_sig_check(info, flags, can_do_ima_check);
+	err = module_sig_check(info, flags);
 	if (err)
 		goto free_copy;
 
@@ -3879,7 +3875,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
 	if (err)
 		return err;
 
-	return load_module(&info, uargs, 0, false);
+	return load_module(&info, uargs, 0);
 }
 
 SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
@@ -3906,7 +3902,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
 	info.hdr = hdr;
 	info.len = size;
 
-	return load_module(&info, uargs, flags, true);
+	return load_module(&info, uargs, flags);
 }
 
 static inline int within(unsigned long addr, void *start, unsigned long size)