lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 2 Nov 2018 14:47:14 +0800
From:   kbuild test robot <lkp@...el.com>
To:     Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
Cc:     kbuild-all@...org, David Howells <dhowells@...hat.com>,
        linux-kernel@...r.kernel.org, kexec@...ts.infradead.org,
        Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
Subject: Re: [PATCH] lockdown: allow kexec_file of unsigned images when not
 under lockdown

Hi Thadeu,

I love your patch! Yet something to improve:

[auto build test ERROR on linus/master]
[also build test ERROR on v4.19 next-20181102]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]

url:    https://github.com/0day-ci/linux/commits/Thadeu-Lima-de-Souza-Cascardo/lockdown-allow-kexec_file-of-unsigned-images-when-not-under-lockdown/20181102-123838
config: x86_64-randconfig-x002-201843 (attached as .config)
compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
reproduce:
        # save the attached .config to linux build tree
        make ARCH=x86_64 

All error/warnings (new ones prefixed by >>):

   In file included from include/asm-generic/bug.h:5:0,
                    from arch/x86/include/asm/bug.h:47,
                    from include/linux/bug.h:5,
                    from include/linux/mmdebug.h:5,
                    from include/linux/mm.h:9,
                    from kernel/kexec_file.c:15:
   kernel/kexec_file.c: In function 'kimage_file_prepare_segments':
>> kernel/kexec_file.c:222:13: error: implicit declaration of function 'kernel_is_locked_down'; did you mean 'kernel_sigaction'? [-Werror=implicit-function-declaration]
     if (ret && kernel_is_locked_down("kexec of unsigned images"))
                ^
   include/linux/compiler.h:58:30: note: in definition of macro '__trace_if'
     if (__builtin_constant_p(!!(cond)) ? !!(cond) :   \
                                 ^~~~
>> kernel/kexec_file.c:222:2: note: in expansion of macro 'if'
     if (ret && kernel_is_locked_down("kexec of unsigned images"))
     ^~
   cc1: some warnings being treated as errors

vim +222 kernel/kexec_file.c

   182	
   183	/*
   184	 * In file mode list of segments is prepared by kernel. Copy relevant
   185	 * data from user space, do error checking, prepare segment list
   186	 */
   187	static int
   188	kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
   189				     const char __user *cmdline_ptr,
   190				     unsigned long cmdline_len, unsigned flags)
   191	{
   192		int ret = 0;
   193		void *ldata;
   194		loff_t size;
   195	
   196		ret = kernel_read_file_from_fd(kernel_fd, &image->kernel_buf,
   197					       &size, INT_MAX, READING_KEXEC_IMAGE);
   198		if (ret)
   199			return ret;
   200		image->kernel_buf_len = size;
   201	
   202		/* IMA needs to pass the measurement list to the next kernel. */
   203		ima_add_kexec_buffer(image);
   204	
   205		/* Call arch image probe handlers */
   206		ret = arch_kexec_kernel_image_probe(image, image->kernel_buf,
   207						    image->kernel_buf_len);
   208		if (ret)
   209			goto out;
   210	
   211	#ifdef CONFIG_KEXEC_VERIFY_SIG
   212		ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
   213						   image->kernel_buf_len);
   214		if (ret) {
   215			pr_debug("kernel signature verification failed.\n");
   216		} else {
   217			pr_debug("kernel signature verification successful.\n");
   218		}
   219	#elif
   220		ret = -EPERM;
   221	#endif
 > 222		if (ret && kernel_is_locked_down("kexec of unsigned images"))
   223			goto out;
   224		else
   225			ret = 0;
   226	
   227		/* It is possible that there no initramfs is being loaded */
   228		if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
   229			ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
   230						       &size, INT_MAX,
   231						       READING_KEXEC_INITRAMFS);
   232			if (ret)
   233				goto out;
   234			image->initrd_buf_len = size;
   235		}
   236	
   237		if (cmdline_len) {
   238			image->cmdline_buf = memdup_user(cmdline_ptr, cmdline_len);
   239			if (IS_ERR(image->cmdline_buf)) {
   240				ret = PTR_ERR(image->cmdline_buf);
   241				image->cmdline_buf = NULL;
   242				goto out;
   243			}
   244	
   245			image->cmdline_buf_len = cmdline_len;
   246	
   247			/* command line should be a string with last byte null */
   248			if (image->cmdline_buf[cmdline_len - 1] != '\0') {
   249				ret = -EINVAL;
   250				goto out;
   251			}
   252		}
   253	
   254		/* Call arch image load handlers */
   255		ldata = arch_kexec_kernel_image_load(image);
   256	
   257		if (IS_ERR(ldata)) {
   258			ret = PTR_ERR(ldata);
   259			goto out;
   260		}
   261	
   262		image->image_loader_data = ldata;
   263	out:
   264		/* In case of error, free up all allocated memory in this function */
   265		if (ret)
   266			kimage_file_post_load_cleanup(image);
   267		return ret;
   268	}
   269	

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

Download attachment ".config.gz" of type "application/gzip" (33603 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ