lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a676b387d23f9ca630418ece20a6761a9437ce76.camel@huaweicloud.com>
Date:   Wed, 23 Nov 2022 13:56:22 +0100
From:   Roberto Sassu <roberto.sassu@...weicloud.com>
To:     Mimi Zohar <zohar@...ux.ibm.com>, dmitry.kasatkin@...il.com,
        paul@...l-moore.com, jmorris@...ei.org, serge@...lyn.com
Cc:     linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org,
        Roberto Sassu <roberto.sassu@...wei.com>,
        stable@...r.kernel.org
Subject: Re: [PATCH] ima: Make a copy of sig and digest in
 asymmetric_verify()

On Tue, 2022-11-22 at 14:39 -0500, Mimi Zohar wrote:
> Hi Roberto,
> 
> On Fri, 2022-11-04 at 13:20 +0100, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@...wei.com>
> > 
> > Commit ac4e97abce9b8 ("scatterlist: sg_set_buf() argument must be in linear
> > mapping") requires that both the signature and the digest resides in the
> > linear mapping area.
> > 
> > However, more recently commit ba14a194a434c ("fork: Add generic vmalloced
> > stack support"), made it possible to move the stack in the vmalloc area,
> > which could make the requirement of the first commit not satisfied anymore.
> > 
> > If CONFIG_SG=y and CONFIG_VMAP_STACK=y, the following BUG() is triggered:
> 
> ^CONFIG_DEBUG_SG
> 
> > [  467.077359] kernel BUG at include/linux/scatterlist.h:163!
> > [  467.077939] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
> > 
> > [...]
> > 
> > [  467.095225] Call Trace:
> > [  467.096088]  <TASK>
> > [  467.096928]  ? rcu_read_lock_held_common+0xe/0x50
> > [  467.097569]  ? rcu_read_lock_sched_held+0x13/0x70
> > [  467.098123]  ? trace_hardirqs_on+0x2c/0xd0
> > [  467.098647]  ? public_key_verify_signature+0x470/0x470
> > [  467.099237]  asymmetric_verify+0x14c/0x300
> > [  467.099869]  evm_verify_hmac+0x245/0x360
> > [  467.100391]  evm_inode_setattr+0x43/0x190
> > 
> > The failure happens only for the digest, as the pointer comes from the
> > stack, and not for the signature, which instead was allocated by
> > vfs_getxattr_alloc().
> 
> Only after enabling CONFIG_DEBUG_SG does EVM fail.
> 
> > Fix this by making a copy of both in asymmetric_verify(), so that the
> > linear mapping requirement is always satisfied, regardless of the caller.
> 
> As only EVM is affected, it would make more sense to limit the change
> to EVM.

I found another occurrence:

static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint,
			struct evm_ima_xattr_data *xattr_value, int xattr_len,
			enum integrity_status *status, const char **cause)
{

[...]

		rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
					     (const char *)xattr_value,
					     xattr_len, hash.digest,
					     hash.hdr.length);

Should I do two patches?

Thanks

Roberto

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ