Message ID | 59d134a3eae4fa802ed9135385cee6fe4838ec01.1641822505.git.msuchanek@suse.de (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | KEXEC_SIG with appended signature | expand |
Hi Michal, Thank you for the patch! Yet something to improve: [auto build test ERROR on powerpc/next] [also build test ERROR on s390/features linus/master jeyu/modules-next v5.16 next-20220110] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/0day-ci/linux/commits/Michal-Suchanek/KEXEC_SIG-with-appended-signature/20220110-215157 base: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git next config: arc-allyesconfig (https://download.01.org/0day-ci/archive/20220111/202201110303.sLPF0o29-lkp@intel.com/config) compiler: arceb-elf-gcc (GCC) 11.2.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/0day-ci/linux/commit/cc363ca7724d96c534c176b8ed248336f562b7ae git remote add linux-review https://github.com/0day-ci/linux git fetch --no-tags linux-review Michal-Suchanek/KEXEC_SIG-with-appended-signature/20220110-215157 git checkout cc363ca7724d96c534c176b8ed248336f562b7ae # save the config file to linux build tree mkdir build_dir COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=arc SHELL=/bin/bash If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <lkp@intel.com> All errors (new ones prefixed by >>): kernel/module_signing.c: In function 'verify_appended_signature': >> kernel/module_signing.c:33:35: error: passing argument 2 of 'mod_parse_sig' from incompatible pointer type [-Werror=incompatible-pointer-types] 33 | ret = mod_parse_sig(data, len, &sig_len, key_being_used_for[purpose]); | ^~~ | | | long unsigned int * In file included from kernel/module_signing.c:11: include/linux/module_signature.h:45:45: note: expected 'size_t *' {aka 'unsigned int *'} but argument is of type 'long unsigned int *' 45 | int mod_parse_sig(const void *data, size_t *len, size_t *sig_len, const char *name); | ~~~~~~~~^~~ kernel/module_signing.c:33:40: error: passing argument 3 of 'mod_parse_sig' from incompatible pointer type [-Werror=incompatible-pointer-types] 33 | ret = mod_parse_sig(data, len, &sig_len, key_being_used_for[purpose]); | ^~~~~~~~ | | | long unsigned int * In file included from kernel/module_signing.c:11: include/linux/module_signature.h:45:58: note: expected 'size_t *' {aka 'unsigned int *'} but argument is of type 'long unsigned int *' 45 | int mod_parse_sig(const void *data, size_t *len, size_t *sig_len, const char *name); | ~~~~~~~~^~~~~~~ cc1: some warnings being treated as errors -- security/integrity/ima/ima_modsig.c: In function 'ima_read_modsig': >> security/integrity/ima/ima_modsig.c:47:33: error: passing argument 2 of 'mod_parse_sig' from incompatible pointer type [-Werror=incompatible-pointer-types] 47 | rc = mod_parse_sig(buf, &buf_len, &sig_len, func_tokens[func]); | ^~~~~~~~ | | | long unsigned int * In file included from security/integrity/ima/ima_modsig.c:12: include/linux/module_signature.h:45:45: note: expected 'size_t *' {aka 'unsigned int *'} but argument is of type 'long unsigned int *' 45 | int mod_parse_sig(const void *data, size_t *len, size_t *sig_len, const char *name); | ~~~~~~~~^~~ security/integrity/ima/ima_modsig.c:47:43: error: passing argument 3 of 'mod_parse_sig' from incompatible pointer type [-Werror=incompatible-pointer-types] 47 | rc = mod_parse_sig(buf, &buf_len, &sig_len, func_tokens[func]); | ^~~~~~~~ | | | long unsigned int * In file included from security/integrity/ima/ima_modsig.c:12: include/linux/module_signature.h:45:58: note: expected 'size_t *' {aka 'unsigned int *'} but argument is of type 'long unsigned int *' 45 | int mod_parse_sig(const void *data, size_t *len, size_t *sig_len, const char *name); | ~~~~~~~~^~~~~~~ cc1: some warnings being treated as errors vim +/mod_parse_sig +33 kernel/module_signing.c 16 17 /** 18 * verify_appended_signature - Verify the signature on a module 19 * @data: The data to be verified 20 * @len: Size of @data. 21 * @trusted_keys: Keyring to use for verification 22 * @purpose: The use to which the key is being put 23 */ 24 int verify_appended_signature(const void *data, unsigned long *len, 25 struct key *trusted_keys, 26 enum key_being_used_for purpose) 27 { 28 unsigned long sig_len; 29 int ret; 30 31 pr_devel("==>%s %s(,%lu)\n", __func__, key_being_used_for[purpose], *len); 32 > 33 ret = mod_parse_sig(data, len, &sig_len, key_being_used_for[purpose]); --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
diff --git a/include/linux/module_signature.h b/include/linux/module_signature.h index 7eb4b00381ac..1343879b72b3 100644 --- a/include/linux/module_signature.h +++ b/include/linux/module_signature.h @@ -42,5 +42,6 @@ struct module_signature { int mod_check_sig(const struct module_signature *ms, size_t file_len, const char *name); +int mod_parse_sig(const void *data, size_t *len, size_t *sig_len, const char *name); #endif /* _LINUX_MODULE_SIGNATURE_H */ diff --git a/kernel/module_signature.c b/kernel/module_signature.c index 00132d12487c..b8eb30182183 100644 --- a/kernel/module_signature.c +++ b/kernel/module_signature.c @@ -8,14 +8,36 @@ #include <linux/errno.h> #include <linux/printk.h> +#include <linux/string.h> #include <linux/module_signature.h> #include <asm/byteorder.h> +/** + * mod_check_sig_marker - check that the given data has signature marker at the end + * + * @data: Data with appended signature + * @len: Length of data. Signature marker length is subtracted on success. + */ +static inline int mod_check_sig_marker(const void *data, size_t *len) +{ + const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; + + if (markerlen > *len) + return -ENODATA; + + if (memcmp(data + *len - markerlen, MODULE_SIG_STRING, + markerlen)) + return -ENODATA; + + *len -= markerlen; + return 0; +} + /** * mod_check_sig - check that the given signature is sane * * @ms: Signature to check. - * @file_len: Size of the file to which @ms is appended. + * @file_len: Size of the file to which @ms is appended (without the marker). * @name: What is being checked. Used for error messages. */ int mod_check_sig(const struct module_signature *ms, size_t file_len, @@ -44,3 +66,35 @@ int mod_check_sig(const struct module_signature *ms, size_t file_len, return 0; } + +/** + * mod_parse_sig - check that the given signature is sane and determine signature length + * + * @data: Data with appended signature. + * @len: Length of data. Signature and marker length is subtracted on success. + * @sig_len: Length of signature. Filled on success. + * @name: What is being checked. Used for error messages. + */ +int mod_parse_sig(const void *data, size_t *len, size_t *sig_len, const char *name) +{ + const struct module_signature *sig; + int rc; + + rc = mod_check_sig_marker(data, len); + if (rc) + return rc; + + if (*len < sizeof(*sig)) + return -EBADMSG; + + sig = (const struct module_signature *)(data + (*len - sizeof(*sig))); + + rc = mod_check_sig(sig, *len, name); + if (rc) + return rc; + + *sig_len = be32_to_cpu(sig->sig_len); + *len -= *sig_len + sizeof(*sig); + + return 0; +} diff --git a/kernel/module_signing.c b/kernel/module_signing.c index 20857d2a15ca..1d4cb03cce21 100644 --- a/kernel/module_signing.c +++ b/kernel/module_signing.c @@ -25,35 +25,16 @@ int verify_appended_signature(const void *data, unsigned long *len, struct key *trusted_keys, enum key_being_used_for purpose) { - const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; - struct module_signature *ms; - unsigned long sig_len, modlen = *len; + unsigned long sig_len; int ret; - pr_devel("==>%s %s(,%lu)\n", __func__, key_being_used_for[purpose], modlen); + pr_devel("==>%s %s(,%lu)\n", __func__, key_being_used_for[purpose], *len); - if (markerlen > modlen) - return -ENODATA; - - if (memcmp(data + modlen - markerlen, MODULE_SIG_STRING, - markerlen)) - return -ENODATA; - modlen -= markerlen; - - if (modlen <= sizeof(*ms)) - return -EBADMSG; - - ms = data + modlen - sizeof(*ms); - - ret = mod_check_sig(ms, modlen, key_being_used_for[purpose]); + ret = mod_parse_sig(data, len, &sig_len, key_being_used_for[purpose]); if (ret) return ret; - sig_len = be32_to_cpu(ms->sig_len); - modlen -= sig_len + sizeof(*ms); - *len = modlen; - - return verify_pkcs7_signature(data, modlen, data + modlen, sig_len, + return verify_pkcs7_signature(data, *len, data + *len, sig_len, trusted_keys, purpose, NULL, NULL); diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c index fb25723c65bc..b40c8fdf6139 100644 --- a/security/integrity/ima/ima_modsig.c +++ b/security/integrity/ima/ima_modsig.c @@ -37,33 +37,17 @@ struct modsig { * * Return: 0 on success, error code otherwise. */ -int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len, +int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t len, struct modsig **modsig) { - const size_t marker_len = strlen(MODULE_SIG_STRING); - const struct module_signature *sig; struct modsig *hdr; - size_t sig_len; - const void *p; + unsigned long sig_len, buf_len = len; int rc; - if (buf_len <= marker_len + sizeof(*sig)) - return -ENOENT; - - p = buf + buf_len - marker_len; - if (memcmp(p, MODULE_SIG_STRING, marker_len)) - return -ENOENT; - - buf_len -= marker_len; - sig = (const struct module_signature *)(p - sizeof(*sig)); - - rc = mod_check_sig(sig, buf_len, func_tokens[func]); + rc = mod_parse_sig(buf, &buf_len, &sig_len, func_tokens[func]); if (rc) return rc; - sig_len = be32_to_cpu(sig->sig_len); - buf_len -= sig_len + sizeof(*sig); - /* Allocate sig_len additional bytes to hold the raw PKCS#7 data. */ hdr = kzalloc(sizeof(*hdr) + sig_len, GFP_KERNEL); if (!hdr)
Multiple users of mod_check_sig check for the marker, then call mod_check_sig, extract signature length, and remove the signature. Put this code in one place together with mod_check_sig. This changes the error from ENOENT to ENODATA for ima_read_modsig in the case the signature marker is missing. This also changes the buffer length in ima_read_modsig from size_t to unsigned long. This reduces the possible value range on 32bit but the length refers to kernel in-memory buffer which cannot be longer than ULONG_MAX. Signed-off-by: Michal Suchanek <msuchanek@suse.de> --- v3: - Philipp Rudo <prudo@redhat.com>: Update the commit with note about change of raturn value - Preserve the EBADMSG error code while moving code araound v4: - remove unused variable ms in module_signing - note about buffer length --- include/linux/module_signature.h | 1 + kernel/module_signature.c | 56 ++++++++++++++++++++++++++++- kernel/module_signing.c | 27 +++----------- security/integrity/ima/ima_modsig.c | 22 ++---------- 4 files changed, 63 insertions(+), 43 deletions(-)