[PATCH 2/3] af_802154: Disable auto-loading as mitigation against local exploits

Forwarded: not-needed

Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation.  We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.

The 'af_802154' (IEEE 802.15.4) protocol is not widely used, was
not present in the 'lenny' kernel, and seems to receive only sporadic
maintenance.  Therefore disable auto-loading.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic debian
Gbp-Pq: Name af_802154-Disable-auto-loading-as-mitigation-against.patch

diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
index 990a83455dcfb5fbb8af133553fc0ceb0e130522..0fda4f3f3b80c4ba9c5d38b02c7deb66492f76e6 100644 (file)
--- a/net/ieee802154/socket.c
+++ b/net/ieee802154/socket.c
@@ -1138,4 +1138,4 @@ module_exit(af_ieee802154_remove);
 
 MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("IEEE 802.15.4 socket interface");
-MODULE_ALIAS_NETPROTO(PF_IEEE802154);
+/* MODULE_ALIAS_NETPROTO(PF_IEEE802154); */