From: Nicolai Stange <nicstange@gmail.com>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Nicolai Stange <nicstange@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
David Howells <dhowells@redhat.com>,
Tadeusz Struk <tadeusz.struk@intel.com>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] PKCS#7: pkcs7_validate_trust(): initialize the _trusted output argument
Date: Wed, 23 Mar 2016 15:00:24 +0100 [thread overview]
Message-ID: <87zitpl2fb.fsf@gmail.com> (raw)
In-Reply-To: <20160323125912.GA29481@gondor.apana.org.au> (Herbert Xu's message of "Wed, 23 Mar 2016 20:59:12 +0800")
Herbert Xu <herbert@gondor.apana.org.au> writes:
> On Sun, Mar 20, 2016 at 11:23:46PM +0100, Nicolai Stange wrote:
>> Despite what the DocBook comment to pkcs7_validate_trust() says, the
>> *_trusted argument is never set to false.
>>
>> pkcs7_validate_trust() only positively sets *_trusted upon encountering
>> a trusted PKCS#7 SignedInfo block.
>>
>> This is quite unfortunate since its callers, system_verify_data() for
>> example, depend on pkcs7_validate_trust() clearing *_trusted on non-trust.
>>
>> Indeed, UBSAN splats when attempting to load the uninitialized local
>> variable 'trusted' from system_verify_data() in pkcs7_validate_trust():
>>
>> UBSAN: Undefined behaviour in crypto/asymmetric_keys/pkcs7_trust.c:194:14
>> load of value 82 is not a valid value for type '_Bool'
>> [...]
>> Call Trace:
>> [<ffffffff818c4d35>] dump_stack+0xbc/0x117
>> [<ffffffff818c4c79>] ? _atomic_dec_and_lock+0x169/0x169
>> [<ffffffff8194113b>] ubsan_epilogue+0xd/0x4e
>> [<ffffffff819419fa>] __ubsan_handle_load_invalid_value+0x111/0x158
>> [<ffffffff819418e9>] ? val_to_string.constprop.12+0xcf/0xcf
>> [<ffffffff818334a4>] ? x509_request_asymmetric_key+0x114/0x370
>> [<ffffffff814b83f0>] ? kfree+0x220/0x370
>> [<ffffffff818312c2>] ? public_key_verify_signature_2+0x32/0x50
>> [<ffffffff81835e04>] pkcs7_validate_trust+0x524/0x5f0
>> [<ffffffff813c391a>] system_verify_data+0xca/0x170
>> [<ffffffff813c3850>] ? top_trace_array+0x9b/0x9b
>> [<ffffffff81510b29>] ? __vfs_read+0x279/0x3d0
>> [<ffffffff8129372f>] mod_verify_sig+0x1ff/0x290
>> [...]
>>
>> The implication is that pkcs7_validate_trust() effectively grants trust
>> when it really shouldn't have.
>>
>> Fix this by explicitly setting *_trusted to false at the very beginning
>> of pkcs7_validate_trust().
>>
>> Signed-off-by: Nicolai Stange <nicstange@gmail.com>
>
> Patch applied. Thanks!
Thank you very much!
prev parent reply other threads:[~2016-03-23 14:00 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-20 22:23 [PATCH] PKCS#7: pkcs7_validate_trust(): initialize the _trusted output argument Nicolai Stange
2016-03-23 12:59 ` Herbert Xu
2016-03-23 14:00 ` Nicolai Stange [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zitpl2fb.fsf@gmail.com \
--to=nicstange@gmail.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tadeusz.struk@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.