| Message ID | 20230217201435.39784-2-rharwood@redhat.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Fix kexec of pesigned images | expand |
Robbie Harwood <rharwood@redhat.com> wrote: > See-also: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-attribute-certificate-table-image-only > See-also: https://github.com/rhboot/pesign These should be "Link:" I think. Apart from that: Acked-by: David Howells <dhowells@redhat.com>
On Fri, Feb 17, 2023 at 03:14:34PM -0500, Robbie Harwood wrote: > The PE Format Specification (section "The Attribute Certificate Table > (Image Only)") states that `dwLength` is to be rounded up to 8-byte > alignment when used for traversal. Therefore, the field is not required > to be an 8-byte multiple in the first place. > > Accordingly, pesign has not performed this alignment since version > 0.110. This causes kexec failure on pesign'd binaries with "PEFILE: > Signature wrapper len wrong". Update the comment and relax the check. > > See-also: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-attribute-certificate-table-image-only > See-also: https://github.com/rhboot/pesign > Signed-off-by: Robbie Harwood <rharwood@redhat.com> OK, makes sense but what does relaxing this bring up to the table? I.e. I do get the argument but do not see the motivation. > --- > crypto/asymmetric_keys/verify_pefile.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > > diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c > index 7553ab18db89..fe1bb374239d 100644 > --- a/crypto/asymmetric_keys/verify_pefile.c > +++ b/crypto/asymmetric_keys/verify_pefile.c > @@ -135,11 +135,15 @@ static int pefile_strip_sig_wrapper(const void *pebuf, > pr_debug("sig wrapper = { %x, %x, %x }\n", > wrapper.length, wrapper.revision, wrapper.cert_type); > > - /* Both pesign and sbsign round up the length of certificate table > - * (in optional header data directories) to 8 byte alignment. > + /* sbsign rounds up the length of certificate table (in optional > + * header data directories) to 8 byte alignment. However, the PE > + * specification states that while entries are 8-byte aligned, this is > + * not included in their length, and as a result, pesign has not > + * rounded up since 0.110. > */ > - if (round_up(wrapper.length, 8) != ctx->sig_len) { > - pr_debug("Signature wrapper len wrong\n"); > + if (wrapper.length > ctx->sig_len) { > + pr_debug("Signature wrapper bigger than sig len (%x > %x)\n", > + ctx->sig_len, wrapper.length); > return -ELIBBAD; > } > if (wrapper.revision != WIN_CERT_REVISION_2_0) { > -- > 2.39.1 > BR, Jarkko
diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c index 7553ab18db89..fe1bb374239d 100644 --- a/crypto/asymmetric_keys/verify_pefile.c +++ b/crypto/asymmetric_keys/verify_pefile.c @@ -135,11 +135,15 @@ static int pefile_strip_sig_wrapper(const void *pebuf, pr_debug("sig wrapper = { %x, %x, %x }\n", wrapper.length, wrapper.revision, wrapper.cert_type); - /* Both pesign and sbsign round up the length of certificate table - * (in optional header data directories) to 8 byte alignment. + /* sbsign rounds up the length of certificate table (in optional + * header data directories) to 8 byte alignment. However, the PE + * specification states that while entries are 8-byte aligned, this is + * not included in their length, and as a result, pesign has not + * rounded up since 0.110. */ - if (round_up(wrapper.length, 8) != ctx->sig_len) { - pr_debug("Signature wrapper len wrong\n"); + if (wrapper.length > ctx->sig_len) { + pr_debug("Signature wrapper bigger than sig len (%x > %x)\n", + ctx->sig_len, wrapper.length); return -ELIBBAD; } if (wrapper.revision != WIN_CERT_REVISION_2_0) {
The PE Format Specification (section "The Attribute Certificate Table (Image Only)") states that `dwLength` is to be rounded up to 8-byte alignment when used for traversal. Therefore, the field is not required to be an 8-byte multiple in the first place. Accordingly, pesign has not performed this alignment since version 0.110. This causes kexec failure on pesign'd binaries with "PEFILE: Signature wrapper len wrong". Update the comment and relax the check. See-also: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-attribute-certificate-table-image-only See-also: https://github.com/rhboot/pesign Signed-off-by: Robbie Harwood <rharwood@redhat.com> --- crypto/asymmetric_keys/verify_pefile.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-)