lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri,  4 Nov 2022 13:20:23 +0100
From:   Roberto Sassu <roberto.sassu@...weicloud.com>
To:     zohar@...ux.ibm.com, dmitry.kasatkin@...il.com,
        paul@...l-moore.com, jmorris@...ei.org, serge@...lyn.com
Cc:     linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org,
        Roberto Sassu <roberto.sassu@...wei.com>,
        stable@...r.kernel.org
Subject: [PATCH] ima: Make a copy of sig and digest in asymmetric_verify()

From: Roberto Sassu <roberto.sassu@...wei.com>

Commit ac4e97abce9b8 ("scatterlist: sg_set_buf() argument must be in linear
mapping") requires that both the signature and the digest resides in the
linear mapping area.

However, more recently commit ba14a194a434c ("fork: Add generic vmalloced
stack support"), made it possible to move the stack in the vmalloc area,
which could make the requirement of the first commit not satisfied anymore.

If CONFIG_SG=y and CONFIG_VMAP_STACK=y, the following BUG() is triggered:

[  467.077359] kernel BUG at include/linux/scatterlist.h:163!
[  467.077939] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI

[...]

[  467.095225] Call Trace:
[  467.096088]  <TASK>
[  467.096928]  ? rcu_read_lock_held_common+0xe/0x50
[  467.097569]  ? rcu_read_lock_sched_held+0x13/0x70
[  467.098123]  ? trace_hardirqs_on+0x2c/0xd0
[  467.098647]  ? public_key_verify_signature+0x470/0x470
[  467.099237]  asymmetric_verify+0x14c/0x300
[  467.099869]  evm_verify_hmac+0x245/0x360
[  467.100391]  evm_inode_setattr+0x43/0x190

The failure happens only for the digest, as the pointer comes from the
stack, and not for the signature, which instead was allocated by
vfs_getxattr_alloc().

Fix this by making a copy of both in asymmetric_verify(), so that the
linear mapping requirement is always satisfied, regardless of the caller.

Cc: stable@...r.kernel.org # 4.9.x
Fixes: ba14a194a434 ("fork: Add generic vmalloced stack support")
Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
---
 security/integrity/digsig_asymmetric.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index 895f4b9ce8c6..635238d5c7fe 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -122,11 +122,26 @@ int asymmetric_verify(struct key *keyring, const char *sig,
 		goto out;
 	}
 
-	pks.digest = (u8 *)data;
+	pks.digest = kmemdup(data, datalen, GFP_KERNEL);
+	if (!pks.digest) {
+		ret = -ENOMEM;
+		goto out;
+	}
+
 	pks.digest_size = datalen;
-	pks.s = hdr->sig;
+
+	pks.s = kmemdup(hdr->sig, siglen, GFP_KERNEL);
+	if (!pks.s) {
+		kfree(pks.digest);
+		ret = -ENOMEM;
+		goto out;
+	}
+
 	pks.s_size = siglen;
+
 	ret = verify_signature(key, &pks);
+	kfree(pks.digest);
+	kfree(pks.s);
 out:
 	key_put(key);
 	pr_debug("%s() = %d\n", __func__, ret);
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ