lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <11253.1336746723@redhat.com>
Date:	Fri, 11 May 2012 15:32:03 +0100
From:	David Howells <dhowells@...hat.com>
To:	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
Cc:	dhowells@...hat.com, rusty@...tcorp.com.au, kyle@...artin.ca,
	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org, keyrings@...ux-nfs.org
Subject: Re: [PATCH 00/29] Crypto keys and module signing [ver #4]

Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp> wrote:

> +	int npkey = key->algo->n_pub_mpi;
> +	int i, ret = -ENOMEM;
> +
> +	kenter("");
> +
> +	n = (pgp->version < PGP_KEY_VERSION_4) ? 8 : 6;
> +	for (i = 0; i < npkey; i++) {
> +		nb[i] = mpi_get_nbits(key->mpi[i]);
> 
> Is key->algo->n_pub_mpi < ARRAY_SIZE(key->mpi) guaranteed?

Yes.  It's hard-coded in the public_key_algorithm struct - for instance the
one to be found at the bottom of security/keys/crypto_rsa.c.

We also check for an excessive quantity of MPIs in pgp_process_public_key().

> +		if( pgp->expires_at)
> 
> checkpatch.pl

Fixed some of those.

> +error:
> +	for (i = 0; i < npkey; i++)
> +		kfree(pp[i]);
> 
> Stack memory may not be initialized.

Fair point.

> +		hashedsz = 4 + 2 + (data[4] << 8) + data[5];
> 
> Given the (datalen <= 2) check below, can we trust data[4,5] here?

We've already done some length and content checking on the signature data.  In
the module verification case, this happens:

 (1) module_verify_sig() has already passed the signature data to
     verify_sig_begin(),

 (2) which passed it to pgp_pkey_verify_sig_begin(),

 (3) which invoked pgp_parse_packets(),

 (4) which called back to pgp_pkey_parse_signature(),

 (5) which then invoked pgp_parse_sig_params() which did sufficient length
     checking to make sure we're okay here.

by the time we get to pgp_pkey_digest_signature() we're at the end of the
process (in verify_sig_end()).

The trailer, however, is not checked at that point - though I suppose it
probably should be.  There isn't currently an MPI function to do just a check
rather than an extraction.

I can add comments to this effect if you think it would help reduce confusion.

> +static int module_verify_canonicalise(struct module_verify_data *mvdata)
> +{
> +	const Elf_Shdr *sechdrs = mvdata->sections;
> +	unsigned *canonlist, canon, loop, tmp;
> +	bool changed;
> +
> +	canonlist = kmalloc(sizeof(unsigned) * mvdata->nsects * 2, GFP_KERNEL);
> +	if (!canonlist)
> +		return -ENOMEM;
> 
> Can mvdata->nsects == (UINT_MAX + 1) / (sizeof(unsigned) * 2) due to size_t?
> I think we want kmalloc() variant that does not return ZERO_SIZE_PTR.

This line should prevent that:

	elfcheck(hdr->e_shnum < SHN_LORESERVE);

given:

	#define SHN_LORESERVE	0xff00

Thanks for the thorough review!

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ