| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YfBUkIlvQc0U0ylo@bombadil.infradead.org>
Date: Tue, 25 Jan 2022 11:50:40 -0800
From: Luis Chamberlain <mcgrof@...nel.org>
To: Michal Suchanek <msuchanek@...e.de>,
Heiko Carstens <hca@...ux.ibm.com>
Cc: keyrings@...r.kernel.org, linux-crypto@...r.kernel.org,
linux-integrity@...r.kernel.org, kexec@...ts.infradead.org,
Philipp Rudo <prudo@...hat.com>,
Mimi Zohar <zohar@...ux.ibm.com>,
Nayna <nayna@...ux.vnet.ibm.com>, Rob Herring <robh@...nel.org>,
linux-s390@...r.kernel.org, Vasily Gorbik <gor@...ux.ibm.com>,
Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
Jessica Yu <jeyu@...nel.org>, linux-kernel@...r.kernel.org,
David Howells <dhowells@...hat.com>,
Christian Borntraeger <borntraeger@...ibm.com>,
Paul Mackerras <paulus@...ba.org>,
Hari Bathini <hbathini@...ux.ibm.com>,
Alexander Gordeev <agordeev@...ux.ibm.com>,
linuxppc-dev@...ts.ozlabs.org,
Frank van der Linden <fllinden@...zon.com>,
Thiago Jung Bauermann <bauerman@...ux.ibm.com>,
Daniel Axtens <dja@...ens.net>, buendgen@...ibm.com,
Michael Ellerman <mpe@...erman.id.au>,
Benjamin Herrenschmidt <benh@...nel.crashing.org>,
Christian Borntraeger <borntraeger@...ux.ibm.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Sven Schnelle <svens@...ux.ibm.com>,
Baoquan He <bhe@...hat.com>,
linux-security-module@...r.kernel.org
Subject: Re: [PATCH v4 1/6] s390/kexec_file: Don't opencode appended
signature check.
On Mon, Jan 10, 2022 at 02:49:53PM +0100, Michal Suchanek wrote:
> Module verification already implements appeded signature check.
>
> Reuse it for kexec_file.
>
> The kexec_file implementation uses EKEYREJECTED error in some cases when
> there is no key and the common implementation uses ENOPKG or EBADMSG
> instead.
>
> Signed-off-by: Michal Suchanek <msuchanek@...e.de>
> Acked-by: Heiko Carstens <hca@...ux.ibm.com>
> ---
> v3: Philipp Rudo <prudo@...hat.com>: Update the commit with note about
> change of return value
> ---
> arch/s390/kernel/machine_kexec_file.c | 22 +++++-----------------
> 1 file changed, 5 insertions(+), 17 deletions(-)
>
> diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c
> index 8f43575a4dd3..c944d71316c7 100644
> --- a/arch/s390/kernel/machine_kexec_file.c
> +++ b/arch/s390/kernel/machine_kexec_file.c
> @@ -31,6 +31,7 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len)
> const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1;
> struct module_signature *ms;
> unsigned long sig_len;
> + int ret;
>
> /* Skip signature verification when not secure IPLed. */
> if (!ipl_secure_flag)
> @@ -45,25 +46,12 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len)
> kernel_len -= marker_len;
>
> ms = (void *)kernel + kernel_len - sizeof(*ms);
> - kernel_len -= sizeof(*ms);
> + ret = mod_check_sig(ms, kernel_len, "kexec");
> + if (ret)
> + return ret;
>
> sig_len = be32_to_cpu(ms->sig_len);
> - if (sig_len >= kernel_len)
> - return -EKEYREJECTED;
There is a small minor fix here, where by using mod_check_sig() now
decreased the kernel_len by the sizeof(*ms). It is minor though.
> - kernel_len -= sig_len;
> -
> - if (ms->id_type != PKEY_ID_PKCS7)
> - return -EKEYREJECTED;
More importantly is the return value used here changes but given the
Ack by Heiko I suspect this if fine and does not break old userspace,
the only change here is the possible error value returned by the
kexec_file_load() system call.
Reviewed-by: Luis Chamberlain <mcgrof@...nel.org>
Luis
Powered by blists - more mailing lists