| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Nov 2022 14:39:25 +0100
From: Roberto Sassu <roberto.sassu@...weicloud.com>
To: zohar@...ux.ibm.com, dmitry.kasatkin@...il.com,
paul@...l-moore.com, jmorris@...ei.org, serge@...lyn.com
Cc: linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org,
Roberto Sassu <roberto.sassu@...wei.com>,
stable@...r.kernel.org
Subject: Re: [PATCH] ima: Make a copy of sig and digest in
asymmetric_verify()
On Fri, 2022-11-04 at 13:20 +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@...wei.com>
>
> Commit ac4e97abce9b8 ("scatterlist: sg_set_buf() argument must be in linear
> mapping") requires that both the signature and the digest resides in the
> linear mapping area.
>
> However, more recently commit ba14a194a434c ("fork: Add generic vmalloced
> stack support"), made it possible to move the stack in the vmalloc area,
> which could make the requirement of the first commit not satisfied anymore.
>
> If CONFIG_SG=y and CONFIG_VMAP_STACK=y, the following BUG() is triggered:
Hi Mimi
did you have the chance to have a look at this patch?
Thanks
Roberto
> [ 467.077359] kernel BUG at include/linux/scatterlist.h:163!
> [ 467.077939] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
>
> [...]
>
> [ 467.095225] Call Trace:
> [ 467.096088] <TASK>
> [ 467.096928] ? rcu_read_lock_held_common+0xe/0x50
> [ 467.097569] ? rcu_read_lock_sched_held+0x13/0x70
> [ 467.098123] ? trace_hardirqs_on+0x2c/0xd0
> [ 467.098647] ? public_key_verify_signature+0x470/0x470
> [ 467.099237] asymmetric_verify+0x14c/0x300
> [ 467.099869] evm_verify_hmac+0x245/0x360
> [ 467.100391] evm_inode_setattr+0x43/0x190
>
> The failure happens only for the digest, as the pointer comes from the
> stack, and not for the signature, which instead was allocated by
> vfs_getxattr_alloc().
>
> Fix this by making a copy of both in asymmetric_verify(), so that the
> linear mapping requirement is always satisfied, regardless of the caller.
>
> Cc: stable@...r.kernel.org # 4.9.x
> Fixes: ba14a194a434 ("fork: Add generic vmalloced stack support")
> Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> ---
> security/integrity/digsig_asymmetric.c | 19 +++++++++++++++++--
> 1 file changed, 17 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
> index 895f4b9ce8c6..635238d5c7fe 100644
> --- a/security/integrity/digsig_asymmetric.c
> +++ b/security/integrity/digsig_asymmetric.c
> @@ -122,11 +122,26 @@ int asymmetric_verify(struct key *keyring, const char *sig,
> goto out;
> }
>
> - pks.digest = (u8 *)data;
> + pks.digest = kmemdup(data, datalen, GFP_KERNEL);
> + if (!pks.digest) {
> + ret = -ENOMEM;
> + goto out;
> + }
> +
> pks.digest_size = datalen;
> - pks.s = hdr->sig;
> +
> + pks.s = kmemdup(hdr->sig, siglen, GFP_KERNEL);
> + if (!pks.s) {
> + kfree(pks.digest);
> + ret = -ENOMEM;
> + goto out;
> + }
> +
> pks.s_size = siglen;
> +
> ret = verify_signature(key, &pks);
> + kfree(pks.digest);
> + kfree(pks.s);
> out:
> key_put(key);
> pr_debug("%s() = %d\n", __func__, ret);
Powered by blists - more mailing lists