I've requested a CVE for this issue. I wanted to provide some more context as other Linux distributions will likely be reading this bug report once the CVE assignment occurs.
This flaw is introduced by certain configuration options in combination with this out-of-tree patch from the Lockdown patchset: https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/cosmic/commit/?id=03c7de9e956395f3b36f86f89b62780ad9501eef We do not force module signatures (CONFIG_MODULE_SIG_FORCE=n), we enable IMA-appraise (CONFIG_IMA_APPRAISE=y), and we do not use the built-in IMA secure_boot policy snippet by default. Therefore, no signature verification is performed when a module is loaded via the finit_module(2) syscall. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1798863 Title: 18.10 kernel does not appear to validate kernel module signatures correctly To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1798863/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
