On Fri, 2018-06-22 at 15:48 -0400, Mimi Zohar wrote:
> On Wed, 2018-06-20 at 12:53 +0200, Matthias Gerstner wrote:
> > Hello Mimi,
> >
> > > Somehow I missed it. A more generic patch is currently queued, which
> > > should resolve this problem as well. Please try commit fdc33c29b022
> > > ("evm: Don't deadlock if a crypto algorithm is unavailable") in the
> > > next-integrity-queued branch.
> >
> > thank you for helping me out. I tried that patch but it does no fix the
> > issue completely. It still ends up in a deadlock. As you can see from
> > the backtrace attached below the call to public_key_verify_signature()
> > still causes a deadlock, since there is the following call in it:
> >
> > tfm = crypto_alloc_akcipher(alg_name, 0, 0);
> >
> > Passing CRYPTO_NOLOAD here does fix the deadlock for me, but I fear that
> > won't be an option and the interface needs to be extended to pass flags?
>
> I'm having a hard time reproducing this bug. Too many different
> permutations of EVM/IMA keys, signatures, and kernel modules. Is the
> problem loading the crypto algorithm, itself, built as a kernel module
> (eg. insmod/modprobe - If so, which syscall is being used?) Or is the
> problem accessing a file signed by an algorithm built as a kernel
> module.
I'm now able to reproduce the bug.
> Mikhail, I'm really sorry for not seeing the patch. I must have been
> dropped from the sf mailing list and didn't notice. I was only seeing
> posts when Cc'ed on them.
>
> Matthias, does Mikhail's patch fix this problem?
Mikhail's patch does resolve it.
Mimi
