| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1579370126.3421.19.camel@HansenPartnership.com>
Date: Sat, 18 Jan 2020 09:55:26 -0800
From: James Bottomley <James.Bottomley@...senPartnership.com>
To: Franck LENORMAND <franck.lenormand@....com>,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, keyrings@...r.kernel.org
Cc: horia.geanta@....com, silvano.dininno@....com, agk@...hat.com,
snitzer@...hat.com, dm-devel@...hat.com, dhowells@...hat.com,
jmorris@...ei.org, serge@...lyn.com
Subject: Re: [RFC PATCH 2/2] dm-crypt: Use any key type which is registered
On Fri, 2019-03-01 at 17:09 +0100, Franck LENORMAND wrote:
> @@ -2025,16 +2027,15 @@ static int crypt_set_keyring_key(struct
> crypt_config *cc, const char *key_string
> if (!key_desc || key_desc == key_string || !strlen(key_desc
> + 1))
> return -EINVAL;
>
> - if (strncmp(key_string, "logon:", key_desc - key_string + 1)
> &&
> - strncmp(key_string, "user:", key_desc - key_string + 1))
> - return -EINVAL;
> + type = get_key_type(key_string, key_desc - key_string);
> + if (!type)
> + return -ENOENT;
You can't do this. This check ensures that the key responds correctly
to user_key_payload_locked() lower down. To do that, the payload has
to be in a specific form. You ensured that yours are, but dm-crypt
will now accept any key type, load the user payload blindly and create
all sorts of mayhem in the kernel because of the structural differences
in payload types.
James
Powered by blists - more mailing lists