lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20190710013225.GB7973@sol.localdomain>
Date:   Tue, 9 Jul 2019 18:32:25 -0700
From:   Eric Biggers <ebiggers@...nel.org>
To:     David Howells <dhowells@...hat.com>, keyrings@...r.kernel.org,
        Valdis Klētnieks <valdis.kletnieks@...edu>,
        David Woodhouse <dwmw2@...radead.org>,
        linux-kernel@...r.kernel.org
Subject: Re: next-20190705 - problems generating certs/x509_certificate_list

On Tue, Jul 09, 2019 at 01:17:14PM -0700, Eric Biggers wrote:
> On Fri, Jul 05, 2019 at 11:44:18PM -0400, Valdis Klētnieks wrote:
> > This worked fine in next-20190618, but in next-20190701 I'm seeing dmesg
> > entries at boot:
> > 
> > dmesg | grep -i x.509
> > [    8.345699] Loading compiled-in X.509 certificates
> > [    8.366137] Problem loading in-kernel X.509 certificate (-13)
> > [    8.507348] cfg80211: Loading compiled-in X.509 certificates for regulatory database
> > [    8.526556] cfg80211: Problem loading in-kernel X.509 certificate (-13)
> > 
> > I start debugging, and discover that certs/x509_certificate_list is a zero-length file.
> > I rm it, and 'make V=1 certs/system_certificates.o', which tells me:
> > 
> > (....)
> > make -f ./scripts/Makefile.headersinst obj=include/uapi
> > make -f ./scripts/Makefile.headersinst obj=arch/x86/include/uapi
> > make -f ./scripts/Makefile.build obj=certs certs/system_certificates.o
> > ---- smoking gun alert
> >   scripts/extract-cert "" certs/x509_certificate_list
> > ----
> >   gcc -Wp,-MD,certs/.system_certificates.o.d  -nostdinc -isystem /usr/lib/gcc/x86_64-redhat-linux/9/include -I./arch/x86/include -I./arch/x86/include/generated  -I./include -I./arch/x86/include/uapi -I./arch/x86/include/generated/uapi -I./include/uapi -I./include/generated/uapi -include ./include/linux/kconfig.h -D__KERNEL__ -D__ASSEMBLY__ -fno-PIE -m64 -DCONFIG_AS_CFI=1 -DCONFIG_AS_CFI_SIGNAL_FRAME=1 -DCONFIG_AS_CFI_SECTIONS=1 -DCONFIG_AS_SSSE3=1 -DCONFIG_AS_AVX=1 -DCONFIG_AS_AVX2=1 -DCONFIG_AS_AVX512=1 -DCONFIG_AS_SHA1_NI=1 -DCONFIG_AS_SHA256_NI=1 -Wa,-gdwarf-2 -DCC_USING_FENTRY -I.   -c -o certs/system_certificates.o certs/system_certificates.S
> > 
> > I go look at extract-cert.c, and sure enough, if the first parameter is a null string
> > it just goes and creates an empty file.
> > 
> > The Makefile says:
> > 
> > quiet_cmd_extract_certs  = EXTRACT_CERTS   $(patsubst "%",%,$(2))
> >       cmd_extract_certs  = scripts/extract-cert $(2) $@
> > 
> > and damned if I know why $(2) is "". Diffed the config files from -0618 and -0705,
> > not seeing anything relevant difference.
> > 
> > Any ideas?
> > 
> 
> I'm seeing on mainline now:
> 
> [   10.915386] Problem loading in-kernel X.509 certificate (-13)
> 
> - Eric

This is caused by

commit 2e12256b9a76584fa3a6da19210509d4775aee36
Author: David Howells <dhowells@...hat.com>
Date:   Thu Jun 27 23:03:07 2019 +0100

    keys: Replace uid/gid/perm permissions checking with an ACL

- Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ