From patchwork Mon Nov 27 07:20:22 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 10075989 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8A1316028E for ; Mon, 27 Nov 2017 07:20:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7BCAB2580E for ; Mon, 27 Nov 2017 07:20:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 709EC28C8B; Mon, 27 Nov 2017 07:20:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 20B5A2580E for ; Mon, 27 Nov 2017 07:20:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751754AbdK0HUg (ORCPT ); Mon, 27 Nov 2017 02:20:36 -0500 Received: from mail-pl0-f68.google.com ([209.85.160.68]:41927 "EHLO mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751740AbdK0HUe (ORCPT ); Mon, 27 Nov 2017 02:20:34 -0500 Received: by mail-pl0-f68.google.com with SMTP id u14so7962663plm.8; Sun, 26 Nov 2017 23:20:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=eN8VQrho2xBTWxKKYdSV/S+Wsb2Behrr1J4mqw+EXLY=; b=ODVx3pruIDixEjrqa1WIF5TaGiP0dhwLJuUe7nUjVVyrO3mFPd3cuwBDhtc3J1E/gh Zvh4XPpP/UoLQPwoYzbOGraK4PglVuVMFONG/4mozJAa2Wh+CcNk29QGU6VN1PZCdNp1 hFjIw5HzbeWMPa7WOccXKWbigXf525Q0F3nDeAA3mEmx4jPJW8mfJR7XRlLkAAIWl4Eu bgEkmrqThQri4fvcmv972yvBG/SG6Ya59dCKL0mLEKirs1LAq4yicMU5XKy6AzNq/Y0l H8ezKqGvpMVccE+Ivs0IiRwCgda6qbQZhiOSUo8LUT5MDVgl0FGKUvATkp2mP4wbhwg4 y9KQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=eN8VQrho2xBTWxKKYdSV/S+Wsb2Behrr1J4mqw+EXLY=; b=EyHUeTSohubzXmJopPf2zPtYadHuakaHGvGtBcjdyt9H85bx3LnAEyChrqfQZZ/EcQ 1WZ1jVCkQuA787SGLSL70gal3QJ0r4oiAWd1in/PvBBA55noBaTAEasWTfxl5V10sV6Y PtkqjjUJ2NsEgu4fYfDnhe/w8HkPROW+VGCr+rzWxivF8QdIBbE/6WUxJm/p3vbb9dpq klgSvL1SyJwUZohoZ4/M/pF6RQ7uKGhySYvX9Jz3MkqMocWKOgcXf3filv5L/1inLe/O /3PWrmnX6Fu+JyRzcH5CQ2N9/mlhjI/E9BTzxMbMq+H4PLrFfUro/WnQaYkWjZVgVIyW ssNg== X-Gm-Message-State: AJaThX5SI/Ko+c0U29wBx+CE8WcfVY5XHvxEMLMS3fTGRvw0lFM3u5ee c5r35RiPJjuA4dgPap5TR5NH81H5 X-Google-Smtp-Source: AGs4zMayG70hSvaq4Fs2BUO5hhr5ZH464BcW4BKpcBoJSAtLar5vHm6KsFMLucjsayxz+5/va9XUHw== X-Received: by 10.159.216.141 with SMTP id s13mr37542749plp.377.1511767233701; Sun, 26 Nov 2017 23:20:33 -0800 (PST) Received: from zzz.localdomain (c-67-185-97-198.hsd1.wa.comcast.net. [67.185.97.198]) by smtp.gmail.com with ESMTPSA id 76sm49768624pfn.179.2017.11.26.23.20.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 26 Nov 2017 23:20:33 -0800 (PST) From: Eric Biggers To: keyrings@vger.kernel.org, David Howells Cc: linux-crypto@vger.kernel.org, Eric Biggers Subject: [PATCH] KEYS: be careful with error codes in public_key_verify_signature() Date: Sun, 26 Nov 2017 23:20:22 -0800 Message-Id: <20171127072022.26398-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.15.0 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers In public_key_verify_signature(), if akcipher_request_alloc() fails, we return -ENOMEM. But that error code was set 25 lines above, and by accident someone could easily insert new code in between that assigns to 'ret', which would introduce a signature verification bypass. Make the code clearer by moving the -ENOMEM down to where it is used. Additionally, the callers of public_key_verify_signature() only consider a negative return value to be an error. This means that if any positive return value is accidentally introduced deeper in the call stack (e.g. 'return EBADMSG' instead of 'return -EBADMSG' somewhere in RSA), signature verification will be bypassed. Make things more robust by having public_key_verify_signature() warn about positive errors and translate them into -EINVAL. Signed-off-by: Eric Biggers --- crypto/asymmetric_keys/public_key.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c index bc3035ef27a2..de996586762a 100644 --- a/crypto/asymmetric_keys/public_key.c +++ b/crypto/asymmetric_keys/public_key.c @@ -73,7 +73,7 @@ int public_key_verify_signature(const struct public_key *pkey, char alg_name_buf[CRYPTO_MAX_ALG_NAME]; void *output; unsigned int outlen; - int ret = -ENOMEM; + int ret; pr_devel("==>%s()\n", __func__); @@ -99,6 +99,7 @@ int public_key_verify_signature(const struct public_key *pkey, if (IS_ERR(tfm)) return PTR_ERR(tfm); + ret = -ENOMEM; req = akcipher_request_alloc(tfm, GFP_KERNEL); if (!req) goto error_free_tfm; @@ -127,7 +128,7 @@ int public_key_verify_signature(const struct public_key *pkey, * signature and returns that to us. */ ret = crypto_wait_req(crypto_akcipher_verify(req), &cwait); - if (ret < 0) + if (ret) goto out_free_output; /* Do the actual verification step. */ @@ -142,6 +143,8 @@ int public_key_verify_signature(const struct public_key *pkey, error_free_tfm: crypto_free_akcipher(tfm); pr_devel("<==%s() = %d\n", __func__, ret); + if (WARN_ON_ONCE(ret > 0)) + ret = -EINVAL; return ret; } EXPORT_SYMBOL_GPL(public_key_verify_signature);