summaryrefslogtreecommitdiffstats
path: root/debian/patches/features/all/lockdown/0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/features/all/lockdown/0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch50
1 files changed, 50 insertions, 0 deletions
diff --git a/debian/patches/features/all/lockdown/0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch b/debian/patches/features/all/lockdown/0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch
new file mode 100644
index 000000000..1a7a4d879
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch
@@ -0,0 +1,50 @@
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Wed, 8 Nov 2017 15:11:34 +0000
+Subject: [13/29] x86/msr: Restrict MSR access when the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=696dcddb285558b4febf318fe620a344d2b2fa47
+
+Writing to MSRs should not be allowed if the kernel is locked down, since
+it could lead to execution of arbitrary code in kernel mode. Based on a
+patch by Kees Cook.
+
+MSR accesses are logged for the purposes of building up a whitelist as per
+Alan Cox's suggestion.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
+cc: x86@kernel.org
+---
+ arch/x86/kernel/msr.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+Index: linux/arch/x86/kernel/msr.c
+===================================================================
+--- linux.orig/arch/x86/kernel/msr.c
++++ linux/arch/x86/kernel/msr.c
+@@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *fi
+ int err = 0;
+ ssize_t bytes = 0;
+
++ if (kernel_is_locked_down("Direct MSR access")) {
++ pr_info("Direct access to MSR %x\n", reg);
++ return -EPERM;
++ }
++
+ if (count % 8)
+ return -EINVAL; /* Invalid chunk size */
+
+@@ -135,6 +140,11 @@ static long msr_ioctl(struct file *file,
+ err = -EFAULT;
+ break;
+ }
++ if (kernel_is_locked_down("Direct MSR access")) {
++ pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */
++ err = -EPERM;
++ break;
++ }
+ err = wrmsr_safe_regs_on_cpu(cpu, regs);
+ if (err)
+ break;