From: Dmitry Kasatkin <d.kasatkin@samsung.com>
To: David Howells <dhowells@redhat.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: keyrings <keyrings@linux-nfs.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
Josh Boyer <jwboyer@redhat.com>,
Matthew Garrett <mjg59@srcf.ucam.org>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Subject: Re: [PATCH v6 3/6] KEYS: make partial key id matching as a dedicated function
Date: Mon, 30 Jun 2014 16:14:42 +0300 [thread overview]
Message-ID: <53B162C2.3070800@samsung.com> (raw)
In-Reply-To: <7564.1403876287@warthog.procyon.org.uk>
On 27/06/14 16:38, David Howells wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>
>> + if (strncmp(id, "id:", 3) == 0)
>> Use memcmp() here.
'id' function parameter comes from "keys_ownerid" kernel parameter.
User can supply anything shorter than "id:".
Though comparing 3 bytes should not produce any memory access errors,
memcmp can access beyond the length of the string.
I think 'strcnmp' is more appropriate here...
>> - kid += kidlen - idlen;
>> - if (strcasecmp(id, kid) != 0)
>> - return 0;
> This test is no longer applied in the "<subtype>:..." case.
I did not get fully what you comment here or ask to do..
But yes, with this patch, it is no longer the case.
Thanks,
Dmitry
> David
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
next prev parent reply other threads:[~2014-06-30 13:15 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-24 14:40 [PATCH v6 0/6] ima: extending secure boot certificate chain of trust Mimi Zohar
2014-06-24 14:40 ` [PATCH v6 1/6] KEYS: special dot prefixed keyring name bug fix Mimi Zohar
2014-06-27 13:24 ` David Howells
2014-06-24 14:40 ` [PATCH v6 2/6] KEYS: verify a certificate is signed by a 'trusted' key Mimi Zohar
2014-06-24 14:40 ` [PATCH v6 3/6] KEYS: make partial key id matching as a dedicated function Mimi Zohar
2014-06-27 13:38 ` David Howells
2014-06-30 13:14 ` Dmitry Kasatkin [this message]
2014-06-30 19:20 ` Mimi Zohar
2014-06-24 14:40 ` [PATCH v6 4/6] KEYS: validate certificate trust only with selected owner key Mimi Zohar
2014-06-27 13:55 ` David Howells
2014-06-27 17:44 ` Mimi Zohar
2014-06-30 13:47 ` Dmitry Kasatkin
2014-06-30 13:57 ` Mimi Zohar
2014-06-24 14:40 ` [PATCH v6 5/6] KEYS: validate certificate trust only with builtin keys Mimi Zohar
2014-06-27 13:54 ` David Howells
2014-06-27 17:50 ` Mimi Zohar
2014-06-24 14:40 ` [PATCH v6 6/6] ima: define '.ima' as a builtin 'trusted' keyring Mimi Zohar
2014-06-27 14:17 ` David Howells
2014-07-09 15:31 ` [PATCH v6 0/6] ima: extending secure boot certificate chain of trust David Howells
2014-07-09 16:40 ` Mimi Zohar
2014-07-09 18:56 ` David Howells
2014-07-09 21:29 ` Mimi Zohar
2014-07-10 14:47 ` Dmitry Kasatkin
2014-07-13 21:06 ` David Howells
2014-07-16 13:15 ` Mimi Zohar
2014-07-17 19:43 ` David Howells
2014-07-17 20:07 ` Mimi Zohar
2014-07-17 20:37 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53B162C2.3070800@samsung.com \
--to=d.kasatkin@samsung.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jwboyer@redhat.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.