diff options
Diffstat (limited to 'debian/patches/features/all/lockdown/0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch')
| -rw-r--r-- | debian/patches/features/all/lockdown/0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/debian/patches/features/all/lockdown/0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch b/debian/patches/features/all/lockdown/0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch new file mode 100644 index 000000000..1a7a4d879 --- /dev/null +++ b/debian/patches/features/all/lockdown/0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch @@ -0,0 +1,50 @@ +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Wed, 8 Nov 2017 15:11:34 +0000 +Subject: [13/29] x86/msr: Restrict MSR access when the kernel is locked down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=696dcddb285558b4febf318fe620a344d2b2fa47 + +Writing to MSRs should not be allowed if the kernel is locked down, since +it could lead to execution of arbitrary code in kernel mode. Based on a +patch by Kees Cook. + +MSR accesses are logged for the purposes of building up a whitelist as per +Alan Cox's suggestion. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Acked-by: Kees Cook <keescook@chromium.org> +Reviewed-by: Thomas Gleixner <tglx@linutronix.de> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: x86@kernel.org +--- + arch/x86/kernel/msr.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +Index: linux/arch/x86/kernel/msr.c +=================================================================== +--- linux.orig/arch/x86/kernel/msr.c ++++ linux/arch/x86/kernel/msr.c +@@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *fi + int err = 0; + ssize_t bytes = 0; + ++ if (kernel_is_locked_down("Direct MSR access")) { ++ pr_info("Direct access to MSR %x\n", reg); ++ return -EPERM; ++ } ++ + if (count % 8) + return -EINVAL; /* Invalid chunk size */ + +@@ -135,6 +140,11 @@ static long msr_ioctl(struct file *file, + err = -EFAULT; + break; + } ++ if (kernel_is_locked_down("Direct MSR access")) { ++ pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */ ++ err = -EPERM; ++ break; ++ } + err = wrmsr_safe_regs_on_cpu(cpu, regs); + if (err) + break; |