From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Robbie Harwood <rharwood@redhat.com>,
David Howells <dhowells@redhat.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
Eric Biederman <ebiederm@xmission.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
kexec@lists.infradead.org, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 30/37] verify_pefile: relax wrapper length check
Date: Tue, 18 Apr 2023 14:21:40 +0200 [thread overview]
Message-ID: <20230418120255.753919976@linuxfoundation.org> (raw)
In-Reply-To: <20230418120254.687480980@linuxfoundation.org>
From: Robbie Harwood <rharwood@redhat.com>
[ Upstream commit 4fc5c74dde69a7eda172514aaeb5a7df3600adb3 ]
The PE Format Specification (section "The Attribute Certificate Table
(Image Only)") states that `dwLength` is to be rounded up to 8-byte
alignment when used for traversal. Therefore, the field is not required
to be an 8-byte multiple in the first place.
Accordingly, pesign has not performed this alignment since version
0.110. This causes kexec failure on pesign'd binaries with "PEFILE:
Signature wrapper len wrong". Update the comment and relax the check.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Jarkko Sakkinen <jarkko@kernel.org>
cc: Eric Biederman <ebiederm@xmission.com>
cc: Herbert Xu <herbert@gondor.apana.org.au>
cc: keyrings@vger.kernel.org
cc: linux-crypto@vger.kernel.org
cc: kexec@lists.infradead.org
Link: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-attribute-certificate-table-image-only
Link: https://github.com/rhboot/pesign
Link: https://lore.kernel.org/r/20230220171254.592347-2-rharwood@redhat.com/ # v2
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/asymmetric_keys/verify_pefile.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
index d178650fd524c..411977947adbe 100644
--- a/crypto/asymmetric_keys/verify_pefile.c
+++ b/crypto/asymmetric_keys/verify_pefile.c
@@ -139,11 +139,15 @@ static int pefile_strip_sig_wrapper(const void *pebuf,
pr_debug("sig wrapper = { %x, %x, %x }\n",
wrapper.length, wrapper.revision, wrapper.cert_type);
- /* Both pesign and sbsign round up the length of certificate table
- * (in optional header data directories) to 8 byte alignment.
+ /* sbsign rounds up the length of certificate table (in optional
+ * header data directories) to 8 byte alignment. However, the PE
+ * specification states that while entries are 8-byte aligned, this is
+ * not included in their length, and as a result, pesign has not
+ * rounded up since 0.110.
*/
- if (round_up(wrapper.length, 8) != ctx->sig_len) {
- pr_debug("Signature wrapper len wrong\n");
+ if (wrapper.length > ctx->sig_len) {
+ pr_debug("Signature wrapper bigger than sig len (%x > %x)\n",
+ ctx->sig_len, wrapper.length);
return -ELIBBAD;
}
if (wrapper.revision != WIN_CERT_REVISION_2_0) {
--
2.39.2
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Robbie Harwood <rharwood@redhat.com>,
David Howells <dhowells@redhat.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
Eric Biederman <ebiederm@xmission.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
kexec@lists.infradead.org, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 30/37] verify_pefile: relax wrapper length check
Date: Tue, 18 Apr 2023 14:21:40 +0200 [thread overview]
Message-ID: <20230418120255.753919976@linuxfoundation.org> (raw)
In-Reply-To: <20230418120254.687480980@linuxfoundation.org>
From: Robbie Harwood <rharwood@redhat.com>
[ Upstream commit 4fc5c74dde69a7eda172514aaeb5a7df3600adb3 ]
The PE Format Specification (section "The Attribute Certificate Table
(Image Only)") states that `dwLength` is to be rounded up to 8-byte
alignment when used for traversal. Therefore, the field is not required
to be an 8-byte multiple in the first place.
Accordingly, pesign has not performed this alignment since version
0.110. This causes kexec failure on pesign'd binaries with "PEFILE:
Signature wrapper len wrong". Update the comment and relax the check.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Jarkko Sakkinen <jarkko@kernel.org>
cc: Eric Biederman <ebiederm@xmission.com>
cc: Herbert Xu <herbert@gondor.apana.org.au>
cc: keyrings@vger.kernel.org
cc: linux-crypto@vger.kernel.org
cc: kexec@lists.infradead.org
Link: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-attribute-certificate-table-image-only
Link: https://github.com/rhboot/pesign
Link: https://lore.kernel.org/r/20230220171254.592347-2-rharwood@redhat.com/ # v2
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/asymmetric_keys/verify_pefile.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
index d178650fd524c..411977947adbe 100644
--- a/crypto/asymmetric_keys/verify_pefile.c
+++ b/crypto/asymmetric_keys/verify_pefile.c
@@ -139,11 +139,15 @@ static int pefile_strip_sig_wrapper(const void *pebuf,
pr_debug("sig wrapper = { %x, %x, %x }\n",
wrapper.length, wrapper.revision, wrapper.cert_type);
- /* Both pesign and sbsign round up the length of certificate table
- * (in optional header data directories) to 8 byte alignment.
+ /* sbsign rounds up the length of certificate table (in optional
+ * header data directories) to 8 byte alignment. However, the PE
+ * specification states that while entries are 8-byte aligned, this is
+ * not included in their length, and as a result, pesign has not
+ * rounded up since 0.110.
*/
- if (round_up(wrapper.length, 8) != ctx->sig_len) {
- pr_debug("Signature wrapper len wrong\n");
+ if (wrapper.length > ctx->sig_len) {
+ pr_debug("Signature wrapper bigger than sig len (%x > %x)\n",
+ ctx->sig_len, wrapper.length);
return -ELIBBAD;
}
if (wrapper.revision != WIN_CERT_REVISION_2_0) {
--
2.39.2
next prev parent reply other threads:[~2023-04-18 12:24 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-18 12:21 [PATCH 4.14 00/37] 4.14.313-rc1 review Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 01/37] pwm: cros-ec: Explicitly set .polarity in .get_state() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 02/37] wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 03/37] icmp: guard against too small mtu Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 04/37] ipv6: Fix an uninit variable access bug in __ip6_make_skb() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 05/37] gpio: davinci: Add irq chip flag to skip set wake Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 06/37] USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 07/37] USB: serial: option: add Telit FE990 compositions Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 08/37] USB: serial: option: add Quectel RM500U-CN modem Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 09/37] iio: dac: cio-dac: Fix max DAC write value check for 12-bit Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 10/37] tty: serial: sh-sci: Fix Rx on RZ/G2L SCI Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 11/37] nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 12/37] nilfs2: fix sysfs interface lifetime Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 13/37] perf/core: Fix the same task check in perf_event_set_output Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 14/37] ftrace: Mark get_lock_parent_ip() __always_inline Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 15/37] ring-buffer: Fix race while reader and writer are on the same page Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 16/37] mm/swap: fix swap_info_struct race between swapoff and get_swap_pages() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 17/37] ALSA: emu10k1: fix capture interrupt handler unlinking Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 18/37] ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 19/37] ALSA: i2c/cs8427: fix iec958 mixer control deactivation Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 20/37] ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 21/37] Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 22/37] Bluetooth: Fix race condition in hidp_session_thread Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 23/37] mtdblock: tolerate corrected bit-flips Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 24/37] 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 25/37] niu: Fix missing unwind goto in niu_alloc_channels() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 26/37] qlcnic: check pci_reset_function result Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 27/37] net: macb: fix a memory corruption in extended buffer descriptor mode Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 28/37] i2c: imx-lpi2c: clean rx/tx buffers upon new message Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 29/37] efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L Greg Kroah-Hartman
2023-04-18 12:21 ` Greg Kroah-Hartman [this message]
2023-04-18 12:21 ` [PATCH 4.14 30/37] verify_pefile: relax wrapper length check Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 31/37] ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 32/37] cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 33/37] watchdog: sbsa_wdog: Make sure the timeout programming is within the limits Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 34/37] coresight-etm4: Fix for() loop drvdata->nr_addr_cmp range bug Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 35/37] KVM: arm64: Factor out core register ID enumeration Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 36/37] KVM: arm64: Filter out invalid core register IDs in KVM_GET_REG_LIST Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 37/37] arm64: KVM: Fix system register enumeration Greg Kroah-Hartman
2023-04-18 14:11 ` [PATCH 4.14 00/37] 4.14.313-rc1 review Chris Paterson
2023-04-19 3:33 ` Guenter Roeck
2023-04-19 8:41 ` Naresh Kamboju
2023-04-19 8:41 ` [LTP] " Naresh Kamboju
2023-04-19 10:51 ` Jon Hunter
2023-04-19 12:39 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230418120255.753919976@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=kexec@lists.infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=rharwood@redhat.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.