lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1389846443-21270-1-git-send-email-jlee@suse.com>
Date:	Thu, 16 Jan 2014 12:27:23 +0800
From:	"Lee, Chun-Yi" <joeyli.kernel@...il.com>
To:	rusty@...tcorp.com.au, dhowells@...hat.com
Cc:	linux-kernel@...r.kernel.org, Chun-Yi Lee <jlee@...e.com>,
	Josh Boyer <jwboyer@...hat.com>,
	Randy Dunlap <rdunlap@...otime.net>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	"David S. Miller" <davem@...emloft.net>,
	Michal Marek <mmarek@...e.com>
Subject: [RESEND PATCH v3] MODSIGN: Fix including certificate twice when the signing_key.x509 already exists

From: Chun-Yi Lee <jlee@...e.com>

This issue was found in devel-pekey branch on linux-modsign.git tree.
The x509_certificate_list includes certificate twice when the
signing_key.x509 already exists.
We can reproduce this issue by making kernel twice, the build log of
second time looks like this:

...
  CHK     kernel/config_data.h
  CERTS   kernel/x509_certificate_list
  - Including cert /ramdisk/working/joey/linux-modsign/signing_key.x509
  - Including cert signing_key.x509
...

Actually the build path was the same with the srctree path when building
kernel. It causes the size of bzImage increased by packaging
certificates twice.

Originally this patch was signed and merged to devel-pekey in David
Howells's linux-modsign git:

http://lwn.net/Articles/540288/

git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-modsign.git
tags/pekey-20130221

But it is missed in mainline kernel.

v3:
Using realpath to compare current file path with source tree patch.
Thanks for Rusty Russell's suggestion.

v2:
Using '$(shell /bin/pwd)' instead of '$(shell pwd)' for more reliable
between different shells

Cc: Rusty Russell <rusty@...tcorp.com.au>
Cc: Josh Boyer <jwboyer@...hat.com>
Cc: Randy Dunlap <rdunlap@...otime.net>
Cc: Herbert Xu <herbert@...dor.apana.org.au>
Cc: "David S. Miller" <davem@...emloft.net>
Cc: Michal Marek <mmarek@...e.com>
Signed-off-by: Chun-Yi Lee <jlee@...e.com>
Signed-off-by: David Howells <dhowells@...hat.com>
---
 kernel/Makefile |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/kernel/Makefile b/kernel/Makefile
index bc010ee..1d671b1 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -136,7 +136,10 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
 #
 ###############################################################################
 ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
-X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
+X509_CERTIFICATES-y := $(wildcard *.x509)
+ifneq ($(realpath .), $(realpath $(srctree)))
+X509_CERTIFICATES-y += $(wildcard $(srctree)/*.x509)
+endif
 X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(objtree)/signing_key.x509
 X509_CERTIFICATES-raw := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \
 				$(or $(realpath $(CERT)),$(CERT))))
-- 
1.6.4.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ