lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20221104014704.3469-1-linux@weissschuh.net>
Date:   Fri,  4 Nov 2022 02:47:04 +0100
From:   Thomas Weißschuh <linux@...ssschuh.net>
To:     David Howells <dhowells@...hat.com>,
        David Woodhouse <dwmw2@...radead.org>
Cc:     Thomas Weißschuh <linux@...ssschuh.net>,
        keyrings@...r.kernel.org, linux-kernel@...r.kernel.org,
        Mickaël Salaün <mic@...ux.microsoft.com>
Subject: [PATCH] certs: Prevent spurious errors on repeated blacklisting

When the blacklist keyring was changed to allow updates from the root
user it gained an ->update() function that disallows all updates.
When the a hash is blacklisted multiple times from the builtin or
firmware-provided blacklist this spams prominent logs during boot:

[    0.890814] blacklist: Problem blacklisting hash (-13)

As all these repeated calls to mark_raw_hash_blacklisted() would create
the same keyring entry again anyways these errors can be safely ignored.

Fixes: 6364d106e041 ("certs: Allow root user to append signed hashes to the blacklist keyring")
Signed-off-by: Thomas Weißschuh <linux@...ssschuh.net>
---
 certs/blacklist.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/certs/blacklist.c b/certs/blacklist.c
index 41f10601cc72..5f7f2882ced7 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -191,7 +191,9 @@ static int mark_raw_hash_blacklisted(const char *hash)
 				   BLACKLIST_KEY_PERM,
 				   KEY_ALLOC_NOT_IN_QUOTA |
 				   KEY_ALLOC_BUILT_IN);
-	if (IS_ERR(key)) {
+
+	/* Blacklisting the same hash twice fails but would be idempotent */
+	if (IS_ERR(key) && PTR_ERR(key) != -EACCES) {
 		pr_err("Problem blacklisting hash (%ld)\n", PTR_ERR(key));
 		return PTR_ERR(key);
 	}

base-commit: ee6050c8af96bba2f81e8b0793a1fc2f998fcd20
-- 
2.38.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ