lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <87zitpl2fb.fsf@gmail.com>
Date:	Wed, 23 Mar 2016 15:00:24 +0100
From:	Nicolai Stange <nicstange@...il.com>
To:	Herbert Xu <herbert@...dor.apana.org.au>
Cc:	Nicolai Stange <nicstange@...il.com>,
	"David S. Miller" <davem@...emloft.net>,
	David Howells <dhowells@...hat.com>,
	Tadeusz Struk <tadeusz.struk@...el.com>,
	linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] PKCS#7: pkcs7_validate_trust(): initialize the _trusted output argument

Herbert Xu <herbert@...dor.apana.org.au> writes:

> On Sun, Mar 20, 2016 at 11:23:46PM +0100, Nicolai Stange wrote:
>> Despite what the DocBook comment to pkcs7_validate_trust() says, the
>> *_trusted argument is never set to false.
>> 
>> pkcs7_validate_trust() only positively sets *_trusted upon encountering
>> a trusted PKCS#7 SignedInfo block.
>> 
>> This is quite unfortunate since its callers, system_verify_data() for
>> example, depend on pkcs7_validate_trust() clearing *_trusted on non-trust.
>> 
>> Indeed, UBSAN splats when attempting to load the uninitialized local
>> variable 'trusted' from system_verify_data() in pkcs7_validate_trust():
>> 
>>   UBSAN: Undefined behaviour in crypto/asymmetric_keys/pkcs7_trust.c:194:14
>>   load of value 82 is not a valid value for type '_Bool'
>>   [...]
>>   Call Trace:
>>     [<ffffffff818c4d35>] dump_stack+0xbc/0x117
>>     [<ffffffff818c4c79>] ? _atomic_dec_and_lock+0x169/0x169
>>     [<ffffffff8194113b>] ubsan_epilogue+0xd/0x4e
>>     [<ffffffff819419fa>] __ubsan_handle_load_invalid_value+0x111/0x158
>>     [<ffffffff819418e9>] ? val_to_string.constprop.12+0xcf/0xcf
>>     [<ffffffff818334a4>] ? x509_request_asymmetric_key+0x114/0x370
>>     [<ffffffff814b83f0>] ? kfree+0x220/0x370
>>     [<ffffffff818312c2>] ? public_key_verify_signature_2+0x32/0x50
>>     [<ffffffff81835e04>] pkcs7_validate_trust+0x524/0x5f0
>>     [<ffffffff813c391a>] system_verify_data+0xca/0x170
>>     [<ffffffff813c3850>] ? top_trace_array+0x9b/0x9b
>>     [<ffffffff81510b29>] ? __vfs_read+0x279/0x3d0
>>     [<ffffffff8129372f>] mod_verify_sig+0x1ff/0x290
>>     [...]
>> 
>> The implication is that pkcs7_validate_trust() effectively grants trust
>> when it really shouldn't have.
>> 
>> Fix this by explicitly setting *_trusted to false at the very beginning
>> of pkcs7_validate_trust().
>> 
>> Signed-off-by: Nicolai Stange <nicstange@...il.com>
>
> Patch applied.  Thanks!

Thank you very much!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ