lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 02 Dec 2022 08:58:21 +0100
From:   Roberto Sassu <roberto.sassu@...weicloud.com>
To:     Eric Biggers <ebiggers@...nel.org>
Cc:     zohar@...ux.ibm.com, dmitry.kasatkin@...il.com,
        paul@...l-moore.com, jmorris@...ei.org, serge@...lyn.com,
        linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org,
        Roberto Sassu <roberto.sassu@...wei.com>,
        stable@...r.kernel.org
Subject: Re: [PATCH v2 1/2] evm: Alloc evm_digest in evm_verify_hmac() if
 CONFIG_VMAP_STACK=y

On Thu, 2022-12-01 at 10:53 -0800, Eric Biggers wrote:
> On Thu, Dec 01, 2022 at 11:06:24AM +0100, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@...wei.com>
> > 
> > Commit ac4e97abce9b8 ("scatterlist: sg_set_buf() argument must be in linear
> > mapping") checks that both the signature and the digest reside in the
> > linear mapping area.
> > 
> > However, more recently commit ba14a194a434c ("fork: Add generic vmalloced
> > stack support"), made it possible to move the stack in the vmalloc area,
> > which is not contiguous, and thus not suitable for sg_set_buf() which needs
> > adjacent pages.
> > 
> > Fix this by checking if CONFIG_VMAP_STACK is enabled. If yes, allocate an
> > evm_digest structure, and use that instead of the in-stack counterpart.
> > 
> > Cc: stable@...r.kernel.org # 4.9.x
> > Fixes: ba14a194a434 ("fork: Add generic vmalloced stack support")
> > Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> > ---
> >  security/integrity/evm/evm_main.c | 26 +++++++++++++++++++++-----
> >  1 file changed, 21 insertions(+), 5 deletions(-)
> > 
> > diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> > index 23d484e05e6f..7f76d6103f2e 100644
> > --- a/security/integrity/evm/evm_main.c
> > +++ b/security/integrity/evm/evm_main.c
> > @@ -174,6 +174,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
> >  	struct signature_v2_hdr *hdr;
> >  	enum integrity_status evm_status = INTEGRITY_PASS;
> >  	struct evm_digest digest;
> > +	struct evm_digest *digest_ptr = &digest;
> >  	struct inode *inode;
> >  	int rc, xattr_len, evm_immutable = 0;
> >  
> > @@ -231,14 +232,26 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
> >  		}
> >  
> >  		hdr = (struct signature_v2_hdr *)xattr_data;
> > -		digest.hdr.algo = hdr->hash_algo;
> > +
> > +		if (IS_ENABLED(CONFIG_VMAP_STACK)) {
> > +			digest_ptr = kmalloc(sizeof(*digest_ptr), GFP_NOFS);
> > +			if (!digest_ptr) {
> > +				rc = -ENOMEM;
> > +				break;
> > +			}
> > +		}
> > +
> > +		digest_ptr->hdr.algo = hdr->hash_algo;
> > +
> >  		rc = evm_calc_hash(dentry, xattr_name, xattr_value,
> > -				   xattr_value_len, xattr_data->type, &digest);
> > +				   xattr_value_len, xattr_data->type,
> > +				   digest_ptr);
> >  		if (rc)
> >  			break;
> >  		rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
> >  					(const char *)xattr_data, xattr_len,
> > -					digest.digest, digest.hdr.length);
> > +					digest_ptr->digest,
> > +					digest_ptr->hdr.length);
> >  		if (!rc) {
> >  			inode = d_backing_inode(dentry);
> >  
> > @@ -268,8 +281,11 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
> >  		else
> >  			evm_status = INTEGRITY_FAIL;
> >  	}
> > -	pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length, digest.hdr.length,
> > -		  digest.digest);
> > +	pr_debug("digest: (%d) [%*phN]\n", digest_ptr->hdr.length,
> > +		 digest_ptr->hdr.length, digest_ptr->digest);
> > +
> > +	if (digest_ptr && digest_ptr != &digest)
> > +		kfree(digest_ptr);
> 
> What is the actual problem here?  Where is a scatterlist being created from this
> buffer?  AFAICS it never happens.

Hi Eric

it is in public_key_verify_signature(), called by asymmetric_verify()
and integrity_digsig_verify().

Roberto

Powered by blists - more mailing lists