Bug 1980069 (CVE-2021-35039)

Summary: CVE-2021-35039 kernel: allows loading unsigned kernel modules via init_module syscall
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, blc, brdeoliv, bskeggs, chwhite, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarod, jarodwilson, jeremy, jforbes, jglisse, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mlangsdo, nmurray, ptalbert, qzhao, rvrbovsk, steved, swood, walters, wcosta, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Linux kernel 5.13 Doc Type: If docs needed, set a value
Doc Text:
A flaw incorrect handle of boot param module.sig_enforce=1 in the Linux kernel modules sign verification functionality was found in the way user boot with this param enabled and both if kernel compiled with param CONFIG_MODULE_SIG unset, then user still can load unsigned module even param module.sig_enforce pretending to be enabled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-03 15:49:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1980070, 1980433    
Bug Blocks: 1980071    

Description Guilherme de Almeida Suckevicz 2021-07-07 17:17:36 UTC
kernel/module.c in the Linux kernel before 5.12.14 mishandles Signature Verification. Without CONFIG_MODULE_SIG, verification that a kernel module is signed, for loading via init_module, does not occur for a module.sig_enforce=1 command-line argument.

Reference:
https://www.openwall.com/lists/oss-security/2021/07/06/3

Upstream patch:
https://github.com/torvalds/linux/commit/0c18f29aae7ce3dadd26d8ee3505d07cc982df75

Comment 1 Guilherme de Almeida Suckevicz 2021-07-07 17:18:06 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1980070]

Comment 2 Justin M. Forbes 2021-07-08 13:59:33 UTC
Fedora enables MODULE_SIG so should not be vulnerable to this, The patch is included in the stable update 5.12.14 for Fedora, so users building their own configs should be covered there as well.