| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210407141553.266b704e@canb.auug.org.au>
Date: Wed, 7 Apr 2021 14:15:53 +1000
From: Stephen Rothwell <sfr@...b.auug.org.au>
To: David Howells <dhowells@...hat.com>,
Mimi Zohar <zohar@...ux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>
Cc: Eric Snowberg <eric.snowberg@...cle.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Linux Next Mailing List <linux-next@...r.kernel.org>,
Mimi Zohar <zohar@...ux.ibm.com>,
Nayna Jain <nayna@...ux.ibm.com>
Subject: linux-next: manual merge of the keys tree with the integrity tree
Hi all,
Today's linux-next merge of the keys tree got a conflict in:
certs/system_keyring.c
between commit:
df73a4001959 ("ima: enable loading of build time generated key on .ima keyring")
from the integrity tree and commit:
9536390dcc8c ("certs: Move load_system_certificate_list to a common function")
from the keys tree.
I fixed it up (I think - see below) and can carry the fix as
necessary. This is now fixed as far as linux-next is concerned, but any
non trivial conflicts should be mentioned to your upstream maintainer
when your tree is submitted for merging. You may also want to consider
cooperating with the maintainer of the conflicting tree to minimise any
particularly complex conflicts.
--
Cheers,
Stephen Rothwell
diff --cc certs/system_keyring.c
index bb122bf4cc17,0c9a4795e847..000000000000
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@@ -133,85 -133,15 +134,34 @@@ static __init int system_trusted_keyrin
*/
device_initcall(system_trusted_keyring_init);
- static __init int load_cert(const u8 *p, const u8 *end, struct key *keyring)
- {
- key_ref_t key;
- size_t plen;
-
- while (p < end) {
- /* Each cert begins with an ASN.1 SEQUENCE tag and must be more
- * than 256 bytes in size.
- */
- if (end - p < 4)
- goto dodgy_cert;
- if (p[0] != 0x30 &&
- p[1] != 0x82)
- goto dodgy_cert;
- plen = (p[2] << 8) | p[3];
- plen += 4;
- if (plen > end - p)
- goto dodgy_cert;
-
- key = key_create_or_update(make_key_ref(keyring, 1),
- "asymmetric",
- NULL,
- p,
- plen,
- ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
- KEY_USR_VIEW | KEY_USR_READ),
- KEY_ALLOC_NOT_IN_QUOTA |
- KEY_ALLOC_BUILT_IN |
- KEY_ALLOC_BYPASS_RESTRICTION);
- if (IS_ERR(key)) {
- pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
- PTR_ERR(key));
- } else {
- pr_notice("Loaded X.509 cert '%s'\n",
- key_ref_to_ptr(key)->description);
- key_ref_put(key);
- }
- p += plen;
- }
-
- return 0;
-
- dodgy_cert:
- pr_err("Problem parsing in-kernel X.509 certificate list\n");
- return 0;
- }
-
+__init int load_module_cert(struct key *keyring)
+{
- const u8 *p, *end;
-
+ if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
+ return 0;
+
+ pr_notice("Loading compiled-in module X.509 certificates\n");
+
- p = system_certificate_list;
- end = p + module_cert_size;
-
- return load_cert(p, end, keyring);
++ return load_certificate_list(system_certificate_list, module_cert_size,
++ keyring);
+}
+
/*
* Load the compiled-in list of X.509 certificates.
*/
static __init int load_system_certificate_list(void)
{
- const u8 *p, *end;
++ const u8 *p;
+
pr_notice("Loading compiled-in X.509 certificates\n");
- return load_certificate_list(system_certificate_list, system_certificate_list_size,
+#ifdef CONFIG_MODULE_SIG
+ p = system_certificate_list;
+#else
+ p = system_certificate_list + module_cert_size;
+#endif
+
- end = p + system_certificate_list_size;
- return load_cert(p, end, builtin_trusted_keys);
++ return load_certificate_list(p, system_certificate_list_size,
+ builtin_trusted_keys);
}
late_initcall(load_system_certificate_list);
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists