Re: [PATCH] ima: Make a copy of sig and digest in asymmetric_verify()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2022-11-23 at 13:56 +0100, Roberto Sassu wrote:
> On Tue, 2022-11-22 at 14:39 -0500, Mimi Zohar wrote:
> > Hi Roberto,
> > 
> > On Fri, 2022-11-04 at 13:20 +0100, Roberto Sassu wrote:
> > > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> > > 
> > > Commit ac4e97abce9b8 ("scatterlist: sg_set_buf() argument must be in linear
> > > mapping") requires that both the signature and the digest resides in the
> > > linear mapping area.
> > > 
> > > However, more recently commit ba14a194a434c ("fork: Add generic vmalloced
> > > stack support"), made it possible to move the stack in the vmalloc area,
> > > which could make the requirement of the first commit not satisfied anymore.
> > > 
> > > If CONFIG_SG=y and CONFIG_VMAP_STACK=y, the following BUG() is triggered:
> > 
> > ^CONFIG_DEBUG_SG
> > 
> > > [  467.077359] kernel BUG at include/linux/scatterlist.h:163!
> > > [  467.077939] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
> > > 
> > > [...]
> > > 
> > > [  467.095225] Call Trace:
> > > [  467.096088]  <TASK>
> > > [  467.096928]  ? rcu_read_lock_held_common+0xe/0x50
> > > [  467.097569]  ? rcu_read_lock_sched_held+0x13/0x70
> > > [  467.098123]  ? trace_hardirqs_on+0x2c/0xd0
> > > [  467.098647]  ? public_key_verify_signature+0x470/0x470
> > > [  467.099237]  asymmetric_verify+0x14c/0x300
> > > [  467.099869]  evm_verify_hmac+0x245/0x360
> > > [  467.100391]  evm_inode_setattr+0x43/0x190
> > > 
> > > The failure happens only for the digest, as the pointer comes from the
> > > stack, and not for the signature, which instead was allocated by
> > > vfs_getxattr_alloc().
> > 
> > Only after enabling CONFIG_DEBUG_SG does EVM fail.
> > 
> > > Fix this by making a copy of both in asymmetric_verify(), so that the
> > > linear mapping requirement is always satisfied, regardless of the caller.
> > 
> > As only EVM is affected, it would make more sense to limit the change
> > to EVM.
> 
> I found another occurrence:
> 
> static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint,
> 			struct evm_ima_xattr_data *xattr_value, int xattr_len,
> 			enum integrity_status *status, const char **cause)
> {
> 
> [...]
> 
> 		rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
> 					     (const char *)xattr_value,
> 					     xattr_len, hash.digest,
> 					     hash.hdr.length);
> 
> Should I do two patches?

I'm just not getting it.  Why did you enable CONFIG_DEBUG_SIG?  Were
you testing random kernel configs?  Are you actually seeing signature
verifications errors without it enabled?  Or is it causing other
problems?  Is the "BUG_ON" still needed?

If you're going to fix the EVM and IMA callers, then make them separate
patches.
-- 
thanks,

Mimi




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux