lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAEy91+b+GN1CoX7Y7RVHq2sxjU=OrrPqmbsFuVW3da4YNTH+XQ@mail.gmail.com>
Date: Fri, 27 Jun 2025 19:42:03 +0530
From: ritu pal <ritupal888@...il.com>
To: David Howells <dhowells@...hat.com>, David Woodhouse <dwmw2@...radead.org>, keyrings@...r.kernel.org, 
	linux-kernel@...r.kernel.org, ritu pal <ritupal888@...il.com>
Subject: [PATCH] certs/blacklist: add error logging for hash blacklisting failures

[PATCH] certs/blacklist: add error logging for hash blacklisting failures

Previously, errors returned by mark_hash_blacklisted() could be
silently ignored by callers,
such as uefi_blacklist_x509_tbs() and uefi_blacklist_binary(),
which do not check or log the return value.
This can make it difficult to detect and diagnose failures to add
hashes to the system blacklist.

This change adds a pr_err() message in mark_hash_blacklisted() to log
any failure to blacklist a hash,
including the error code. This ensures that all blacklisting failures
are visible in the kernel log,
improving debuggability and system integrity monitoring, even if the
upper layers do not handle the error.

No functional changes are made to the blacklisting logic.

Signed-off-by: Ritu Pal  <ritupal888@...il.com>
---
 certs/blacklist.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/certs/blacklist.c b/certs/blacklist.c
index 675dd7a8f07a..0f5ff29ccb3d 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -208,8 +208,10 @@ int mark_hash_blacklisted(const u8 *hash, size_t hash_len,
  int err;

  buffer = get_raw_hash(hash, hash_len, hash_type);
- if (IS_ERR(buffer))
+ if (IS_ERR(buffer)) {
+ pr_err("Failed to blacklist hash: %pe\n", buffer);
  return PTR_ERR(buffer);
+ }
  err = mark_raw_hash_blacklisted(buffer);
  kfree(buffer);
  return err;
@@ -229,8 +231,10 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len,
  int ret = 0;

  buffer = get_raw_hash(hash, hash_len, hash_type);
- if (IS_ERR(buffer))
+ if (IS_ERR(buffer)) {
+ pr_err("Failed to blacklist hash: %pe\n", buffer);
  return PTR_ERR(buffer);
+ }
  kref = keyring_search(make_key_ref(blacklist_keyring, true),
        &key_type_blacklist, buffer, false);
  if (!IS_ERR(kref)) {
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ