Hi Sasha,
Thanks! The first two patches listed below aren't "necessary", but with
them the rest of the bug fixes apply cleanly.
# ima: skip measurement of cgroupfs files and update documentation
git cherry-pick 6438de9 -x
# ima: cleanup ima_init_policy() a little
git cherry-pick 5577857 -x
# ima: do not measure or appraise the NSFS filesystem (back to and
including 3.19)
git cherry-pick cd025f7 -x
# evm: labeling pseudo filesystems exception (back to and including
3.17, 3.14)
git cherry-pick 5101a18 -x
# KEYS: fix "ca_keys=" partial key matching (back to and including
3.18)
git cherry-pick f2b3dee -x
# ima: fix ima_show_template_data_ascii() (back to and including 3.13)
git cherry-pick 45b2613 -x
# ima: add support for new "euid" policy condition
git cherry-pick 139069e -x
# ima: extend "mask" policy matching support
git cherry-pick 4351c29 -x
# ima: update builtin policies
git cherry-pick 24fd03c -x
Thanks,
Mimi
On Fri, 2015-07-03 at 23:01 -0400, Sasha Levin wrote:
> From: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
>
> This patch has been added to the 3.18 stable tree. If you have any
> objections, please let us know.
>
> ===============
>
> [ Upstream commit f2b3dee484f9cee967a54ef05a66866282337519 ]
>
> The call to asymmetric_key_hex_to_key_id() from ca_keys_setup()
> silently fails with -ENOMEM. Instead of dynamically allocating
> memory from a __setup function, this patch defines a variable
> and calls __asymmetric_key_hex_to_key_id(), a new helper function,
> directly.
>
> This bug was introduced by 'commit 46963b774d44 ("KEYS: Overhaul
> key identification when searching for asymmetric keys")'.
>
> Changelog:
> - for clarification, rename hexlen to asciihexlen in
> asymmetric_key_hex_to_key_id()
> - add size argument to __asymmetric_key_hex_to_key_id() - David Howells
> - inline __asymmetric_key_hex_to_key_id() - David Howells
> - remove duplicate strlen() calls
>
> Acked-by: David Howells <dhowells@xxxxxxxxxx>
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx # 3.18
> Signed-off-by: Sasha Levin <sasha.levin@xxxxxxxxxx>
> ---
> crypto/asymmetric_keys/asymmetric_keys.h | 3 +++
> crypto/asymmetric_keys/asymmetric_type.c | 20 ++++++++++++++------
> crypto/asymmetric_keys/x509_public_key.c | 23 ++++++++++++++++++-----
> 3 files changed, 35 insertions(+), 11 deletions(-)
>
> diff --git a/crypto/asymmetric_keys/asymmetric_keys.h b/crypto/asymmetric_keys/asymmetric_keys.h
> index f973308..3f5b537 100644
> --- a/crypto/asymmetric_keys/asymmetric_keys.h
> +++ b/crypto/asymmetric_keys/asymmetric_keys.h
> @@ -11,6 +11,9 @@
>
> extern struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id);
>
> +extern int __asymmetric_key_hex_to_key_id(const char *id,
> + struct asymmetric_key_id *match_id,
> + size_t hexlen);
> static inline
> const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key)
> {
> diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c
> index bcbbbd7..b0e4ed2 100644
> --- a/crypto/asymmetric_keys/asymmetric_type.c
> +++ b/crypto/asymmetric_keys/asymmetric_type.c
> @@ -104,6 +104,15 @@ static bool asymmetric_match_key_ids(
> return false;
> }
>
> +/* helper function can be called directly with pre-allocated memory */
> +inline int __asymmetric_key_hex_to_key_id(const char *id,
> + struct asymmetric_key_id *match_id,
> + size_t hexlen)
> +{
> + match_id->len = hexlen;
> + return hex2bin(match_id->data, id, hexlen);
> +}
> +
> /**
> * asymmetric_key_hex_to_key_id - Convert a hex string into a key ID.
> * @id: The ID as a hex string.
> @@ -111,21 +120,20 @@ static bool asymmetric_match_key_ids(
> struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id)
> {
> struct asymmetric_key_id *match_id;
> - size_t hexlen;
> + size_t asciihexlen;
> int ret;
>
> if (!*id)
> return ERR_PTR(-EINVAL);
> - hexlen = strlen(id);
> - if (hexlen & 1)
> + asciihexlen = strlen(id);
> + if (asciihexlen & 1)
> return ERR_PTR(-EINVAL);
>
> - match_id = kmalloc(sizeof(struct asymmetric_key_id) + hexlen / 2,
> + match_id = kmalloc(sizeof(struct asymmetric_key_id) + asciihexlen / 2,
> GFP_KERNEL);
> if (!match_id)
> return ERR_PTR(-ENOMEM);
> - match_id->len = hexlen / 2;
> - ret = hex2bin(match_id->data, id, hexlen / 2);
> + ret = __asymmetric_key_hex_to_key_id(id, match_id, asciihexlen / 2);
> if (ret < 0) {
> kfree(match_id);
> return ERR_PTR(-EINVAL);
> diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
> index a6c4203..24f17e6 100644
> --- a/crypto/asymmetric_keys/x509_public_key.c
> +++ b/crypto/asymmetric_keys/x509_public_key.c
> @@ -28,17 +28,30 @@ static bool use_builtin_keys;
> static struct asymmetric_key_id *ca_keyid;
>
> #ifndef MODULE
> +static struct {
> + struct asymmetric_key_id id;
> + unsigned char data[10];
> +} cakey;
> +
> static int __init ca_keys_setup(char *str)
> {
> if (!str) /* default system keyring */
> return 1;
>
> if (strncmp(str, "id:", 3) == 0) {
> - struct asymmetric_key_id *p;
> - p = asymmetric_key_hex_to_key_id(str + 3);
> - if (p == ERR_PTR(-EINVAL))
> - pr_err("Unparsable hex string in ca_keys\n");
> - else if (!IS_ERR(p))
> + struct asymmetric_key_id *p = &cakey.id;
> + size_t hexlen = (strlen(str) - 3) / 2;
> + int ret;
> +
> + if (hexlen == 0 || hexlen > sizeof(cakey.data)) {
> + pr_err("Missing or invalid ca_keys id\n");
> + return 1;
> + }
> +
> + ret = __asymmetric_key_hex_to_key_id(str + 3, p, hexlen);
> + if (ret < 0)
> + pr_err("Unparsable ca_keys id hex string\n");
> + else
> ca_keyid = p; /* owner key 'id:xxxxxx' */
> } else if (strcmp(str, "builtin") == 0) {
> use_builtin_keys = true;
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html