All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] KEYS: trusted: dcp: fix key_len validation and calc_blob_len() return type
@ 2026-07-18 20:28 Fabrice Derepas
  2026-07-18 21:12 ` Richard Weinberger
  2026-07-18 22:13 ` Jarkko Sakkinen
  0 siblings, 2 replies; 4+ messages in thread
From: Fabrice Derepas @ 2026-07-18 20:28 UTC (permalink / raw)
  To: keyrings, linux-integrity
  Cc: Fabrice Derepas, david, upstream+dcp, jarkko, zohar, dhowells

Two defects in trusted_dcp_unseal() combine to allow a heap
out-of-bounds write in kernel context.

The primary defect is a missing upper-bound check:
trusted_dcp_unseal() reads p->key_len from an attacker-supplied blob
with no validation that it is at most MAX_KEY_SIZE (128).  It then
passes p->key_len + DCP_BLOB_AUTHLEN to do_aead_crypto() as the
operation length.  Because p->key is only MAX_KEY_SIZE + 1 = 129
bytes, any payload_len above 128 in the blob overruns p->key.  On
implementations where AES-128-GCM decryption writes plaintext before
verifying the authentication tag, up to 330 bytes of out-of-bounds
heap overwrite can occur before -EBADMSG is returned.

The secondary defect is an integer overflow in calc_blob_len(), which
computes its sum in size_t but returns unsigned int, truncating the
result on 64-bit platforms.  This allows a crafted blob with
payload_len near UINT_MAX to bypass the sanity check
(blen != p->blob_len).  Due to a second wrap in the expression
p->key_len + DCP_BLOB_AUTHLEN (computed in unsigned int at the call
site), the len value that reaches do_aead_crypto() via this path is
at most 15 bytes and does not directly amplify the OOB write, but
the integrity check bypass must be fixed.

Fix the primary OOB by validating p->key_len against MIN_KEY_SIZE
and MAX_KEY_SIZE immediately after reading it from the blob, matching
the validation already performed in trusted_core.c on the Opt_new
path.  Fix the overflow by changing the return type of calc_blob_len()
to size_t; update the two blen declarations from int to size_t to
avoid narrowing-conversion warnings, and update the pr_err format
specifier for blen accordingly.

The seal path is not affected: p->key_len is validated by
trusted_core.c before trusted_dcp_seal() is called, and the
blen > MAX_BLOB_SIZE guard provides defence in depth there.

Exploitation requires high privileges.  The unseal path is reached
via add_key("trusted", ..., KEY_SPEC_*) with the Opt_load command,
which requires write permission to a keyring that accepts trusted
keys -- in practice CAP_SYS_ADMIN.  Additionally,
CONFIG_TRUSTED_KEYS_DCP must be enabled. The attacker must also supply
a crafted sealed blob, which in the typical dm-crypt use case means
either physical access to modify on-disk key material or a prior
compromise of a privileged process that writes the blob.

How this was found:
Found by applying the Squeeze Loop strategy ("The Squeeze Loop
Strategy: Catching Coherent-and-Wrong Artifacts with an
Author-Independent Executable Oracle," Zenodo
DOI 10.5281/zenodo.20787816, 2026) on its C terrain using
deductive verification.  The formal proof of calc_blob_len (12/12
goals discharged) required a no_wrap precondition on payload_len;
removing that precondition caused 3 of 6 proof goals to fail.
Tracing the caller path confirmed the bounds bypass and the missing
key_len validation.

Signed-off-by: Fabrice Derepas <fabrice.derepas@canonical.com>
---
 security/keys/trusted-keys/trusted_dcp.c | 13 ++++++++++---
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/security/keys/trusted-keys/trusted_dcp.c b/security/keys/trusted-keys/trusted_dcp.c
index XXXXXXXXXXXXXXXX..YYYYYYYYYYYYYYYY 100644
--- a/security/keys/trusted-keys/trusted_dcp.c
+++ b/security/keys/trusted-keys/trusted_dcp.c
@@ -69,7 +69,7 @@ module_param_named(dcp_skip_zk_test, skip_zk_test, bool, 0);
 MODULE_PARM_DESC(dcp_skip_zk_test, "Don't test whether device keys are zero'ed");
 
-static unsigned int calc_blob_len(unsigned int payload_len)
+static size_t calc_blob_len(unsigned int payload_len)
 {
 	return sizeof(struct dcp_blob_fmt) + payload_len + DCP_BLOB_AUTHLEN;
 }
@@ -200,7 +200,8 @@ static int trusted_dcp_seal(struct trusted_key_payload *p, char *datablob)
 {
 	struct dcp_blob_fmt *b = (struct dcp_blob_fmt *)p->blob;
-	int blen, ret;
+	size_t blen;
+	int ret;
 	u8 *plain_blob_key;
 
 	blen = calc_blob_len(p->key_len);
@@ -242,21 +243,25 @@ static int trusted_dcp_unseal(struct trusted_key_payload *p, char *datablob)
 {
 	struct dcp_blob_fmt *b = (struct dcp_blob_fmt *)p->blob;
-	int blen, ret;
+	size_t blen;
+	int ret;
 	u8 *plain_blob_key = NULL;
 
 	if (b->fmt_version != DCP_BLOB_VERSION) {
 		pr_err("DCP blob has bad version: %i, expected %i\n",
 		       b->fmt_version, DCP_BLOB_VERSION);
 		ret = -EINVAL;
 		goto out;
 	}
 
 	p->key_len = le32_to_cpu(b->payload_len);
+	if (p->key_len < MIN_KEY_SIZE || p->key_len > MAX_KEY_SIZE)
+		return -EINVAL;
+
 	blen = calc_blob_len(p->key_len);
 	if (blen != p->blob_len) {
-		pr_err("DCP blob has bad length: %i != %i\n", blen,
+		pr_err("DCP blob has bad length: %zu != %u\n", blen,
 		       p->blob_len);
 		ret = -EINVAL;
 		goto out;
-- 
2.43.0

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] KEYS: trusted: dcp: fix key_len validation and calc_blob_len() return type
  2026-07-18 20:28 [PATCH] KEYS: trusted: dcp: fix key_len validation and calc_blob_len() return type Fabrice Derepas
@ 2026-07-18 21:12 ` Richard Weinberger
  2026-07-18 22:13 ` Jarkko Sakkinen
  1 sibling, 0 replies; 4+ messages in thread
From: Richard Weinberger @ 2026-07-18 21:12 UTC (permalink / raw)
  To: keyrings, linux-integrity, upstream, Fabrice Derepas
  Cc: Fabrice Derepas, david, upstream+dcp, jarkko, zohar, dhowells

On Samstag, 18. Juli 2026 22:28 'Fabrice Derepas' via upstream wrote:
> Two defects in trusted_dcp_unseal() combine to allow a heap
> out-of-bounds write in kernel context.
> 
> The primary defect is a missing upper-bound check:
> trusted_dcp_unseal() reads p->key_len from an attacker-supplied blob
> with no validation that it is at most MAX_KEY_SIZE (128).  It then
> passes p->key_len + DCP_BLOB_AUTHLEN to do_aead_crypto() as the
> operation length.  Because p->key is only MAX_KEY_SIZE + 1 = 129
> bytes, any payload_len above 128 in the blob overruns p->key.  On
> implementations where AES-128-GCM decryption writes plaintext before
> verifying the authentication tag, up to 330 bytes of out-of-bounds
> heap overwrite can occur before -EBADMSG is returned.

Hmm, but this will only overflow p->blob[], which is the attacker input.
p->blob[] is at least 512 bytes long.
So an attacker is only able to overwrite it's own provided input?
 
> The secondary defect is an integer overflow in calc_blob_len(), which
> computes its sum in size_t but returns unsigned int, truncating the
> result on 64-bit platforms.  This allows a crafted blob with
> payload_len near UINT_MAX to bypass the sanity check
> (blen != p->blob_len).  Due to a second wrap in the expression
> p->key_len + DCP_BLOB_AUTHLEN (computed in unsigned int at the call
> site), the len value that reaches do_aead_crypto() via this path is
> at most 15 bytes and does not directly amplify the OOB write, but
> the integrity check bypass must be fixed.

Since the DCP engine is only found on tiny 32-bits NXP i.MX systems,
I don't consider this a real issue.

> Fix the primary OOB by validating p->key_len against MIN_KEY_SIZE
> and MAX_KEY_SIZE immediately after reading it from the blob, matching
> the validation already performed in trusted_core.c on the Opt_new
> path.  Fix the overflow by changing the return type of calc_blob_len()
> to size_t; update the two blen declarations from int to size_t to
> avoid narrowing-conversion warnings, and update the pr_err format
> specifier for blen accordingly.
> 
> The seal path is not affected: p->key_len is validated by
> trusted_core.c before trusted_dcp_seal() is called, and the
> blen > MAX_BLOB_SIZE guard provides defence in depth there.
> 
> Exploitation requires high privileges.  The unseal path is reached
> via add_key("trusted", ..., KEY_SPEC_*) with the Opt_load command,
> which requires write permission to a keyring that accepts trusted
> keys -- in practice CAP_SYS_ADMIN.  Additionally,
> CONFIG_TRUSTED_KEYS_DCP must be enabled. The attacker must also supply
> a crafted sealed blob, which in the typical dm-crypt use case means
> either physical access to modify on-disk key material or a prior
> compromise of a privileged process that writes the blob.

While I welcome the proposed changes as they make the code more clear
and will other tools happy, I don't think it's a security issue.
So the commit message needs rewording.

Thanks,
//richard

-- 
​​​​​sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT UID/VAT Nr:
ATU 66964118 | FN: 374287y



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] KEYS: trusted: dcp: fix key_len validation and calc_blob_len() return type
  2026-07-18 20:28 [PATCH] KEYS: trusted: dcp: fix key_len validation and calc_blob_len() return type Fabrice Derepas
  2026-07-18 21:12 ` Richard Weinberger
@ 2026-07-18 22:13 ` Jarkko Sakkinen
  2026-07-18 22:16   ` Jarkko Sakkinen
  1 sibling, 1 reply; 4+ messages in thread
From: Jarkko Sakkinen @ 2026-07-18 22:13 UTC (permalink / raw)
  To: Fabrice Derepas
  Cc: keyrings, linux-integrity, david, upstream+dcp, zohar, dhowells

On Sat, Jul 18, 2026 at 10:28:17PM +0200, Fabrice Derepas wrote:
> Two defects in trusted_dcp_unseal() combine to allow a heap
> out-of-bounds write in kernel context.
> 
> The primary defect is a missing upper-bound check:
> trusted_dcp_unseal() reads p->key_len from an attacker-supplied blob
> with no validation that it is at most MAX_KEY_SIZE (128).  It then
> passes p->key_len + DCP_BLOB_AUTHLEN to do_aead_crypto() as the
> operation length.  Because p->key is only MAX_KEY_SIZE + 1 = 129
> bytes, any payload_len above 128 in the blob overruns p->key.  On
> implementations where AES-128-GCM decryption writes plaintext before
> verifying the authentication tag, up to 330 bytes of out-of-bounds
> heap overwrite can occur before -EBADMSG is returned.
> 
> The secondary defect is an integer overflow in calc_blob_len(), which
> computes its sum in size_t but returns unsigned int, truncating the
> result on 64-bit platforms.  This allows a crafted blob with
> payload_len near UINT_MAX to bypass the sanity check
> (blen != p->blob_len).  Due to a second wrap in the expression
> p->key_len + DCP_BLOB_AUTHLEN (computed in unsigned int at the call
> site), the len value that reaches do_aead_crypto() via this path is
> at most 15 bytes and does not directly amplify the OOB write, but
> the integrity check bypass must be fixed.
> 
> Fix the primary OOB by validating p->key_len against MIN_KEY_SIZE
> and MAX_KEY_SIZE immediately after reading it from the blob, matching
> the validation already performed in trusted_core.c on the Opt_new
> path.  Fix the overflow by changing the return type of calc_blob_len()
> to size_t; update the two blen declarations from int to size_t to
> avoid narrowing-conversion warnings, and update the pr_err format
> specifier for blen accordingly.
> 
> The seal path is not affected: p->key_len is validated by
> trusted_core.c before trusted_dcp_seal() is called, and the
> blen > MAX_BLOB_SIZE guard provides defence in depth there.
> 
> Exploitation requires high privileges.  The unseal path is reached
> via add_key("trusted", ..., KEY_SPEC_*) with the Opt_load command,
> which requires write permission to a keyring that accepts trusted
> keys -- in practice CAP_SYS_ADMIN.  Additionally,
> CONFIG_TRUSTED_KEYS_DCP must be enabled. The attacker must also supply
> a crafted sealed blob, which in the typical dm-crypt use case means
> either physical access to modify on-disk key material or a prior
> compromise of a privileged process that writes the blob.

This is hypothesis of an exploit at most.

The change look while but this paragraph is way too abstract
to qualify for anything.

> 
> How this was found:
> Found by applying the Squeeze Loop strategy ("The Squeeze Loop
> Strategy: Catching Coherent-and-Wrong Artifacts with an
> Author-Independent Executable Oracle," Zenodo
> DOI 10.5281/zenodo.20787816, 2026) on its C terrain using
> deductive verification.  The formal proof of calc_blob_len (12/12
> goals discharged) required a no_wrap precondition on payload_len;
> removing that precondition caused 3 of 6 proof goals to fail.
> Tracing the caller path confirmed the bounds bypass and the missing
> key_len validation.
> 
> Signed-off-by: Fabrice Derepas <fabrice.derepas@canonical.com>
> ---
>  security/keys/trusted-keys/trusted_dcp.c | 13 ++++++++++---
>  1 file changed, 9 insertions(+), 4 deletions(-)
> 
> diff --git a/security/keys/trusted-keys/trusted_dcp.c b/security/keys/trusted-keys/trusted_dcp.c
> index XXXXXXXXXXXXXXXX..YYYYYYYYYYYYYYYY 100644
> --- a/security/keys/trusted-keys/trusted_dcp.c
> +++ b/security/keys/trusted-keys/trusted_dcp.c
> @@ -69,7 +69,7 @@ module_param_named(dcp_skip_zk_test, skip_zk_test, bool, 0);
>  MODULE_PARM_DESC(dcp_skip_zk_test, "Don't test whether device keys are zero'ed");
>  
> -static unsigned int calc_blob_len(unsigned int payload_len)
> +static size_t calc_blob_len(unsigned int payload_len)
>  {
>  	return sizeof(struct dcp_blob_fmt) + payload_len + DCP_BLOB_AUTHLEN;
>  }
> @@ -200,7 +200,8 @@ static int trusted_dcp_seal(struct trusted_key_payload *p, char *datablob)
>  {
>  	struct dcp_blob_fmt *b = (struct dcp_blob_fmt *)p->blob;
> -	int blen, ret;
> +	size_t blen;
> +	int ret;
>  	u8 *plain_blob_key;
>  
>  	blen = calc_blob_len(p->key_len);
> @@ -242,21 +243,25 @@ static int trusted_dcp_unseal(struct trusted_key_payload *p, char *datablob)
>  {
>  	struct dcp_blob_fmt *b = (struct dcp_blob_fmt *)p->blob;
> -	int blen, ret;
> +	size_t blen;
> +	int ret;
>  	u8 *plain_blob_key = NULL;
>  
>  	if (b->fmt_version != DCP_BLOB_VERSION) {
>  		pr_err("DCP blob has bad version: %i, expected %i\n",
>  		       b->fmt_version, DCP_BLOB_VERSION);
>  		ret = -EINVAL;
>  		goto out;
>  	}
>  
>  	p->key_len = le32_to_cpu(b->payload_len);
> +	if (p->key_len < MIN_KEY_SIZE || p->key_len > MAX_KEY_SIZE)
> +		return -EINVAL;
> +
>  	blen = calc_blob_len(p->key_len);
>  	if (blen != p->blob_len) {
> -		pr_err("DCP blob has bad length: %i != %i\n", blen,
> +		pr_err("DCP blob has bad length: %zu != %u\n", blen,
>  		       p->blob_len);
>  		ret = -EINVAL;
>  		goto out;
> -- 
> 2.43.0

As said, code changes themselves look reasonable but the commit message
is painting a picture of impact that this bug really does not have.

BR, Jarkko

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] KEYS: trusted: dcp: fix key_len validation and calc_blob_len() return type
  2026-07-18 22:13 ` Jarkko Sakkinen
@ 2026-07-18 22:16   ` Jarkko Sakkinen
  0 siblings, 0 replies; 4+ messages in thread
From: Jarkko Sakkinen @ 2026-07-18 22:16 UTC (permalink / raw)
  To: Fabrice Derepas
  Cc: keyrings, linux-integrity, david, upstream+dcp, zohar, dhowells

On Sun, Jul 19, 2026 at 01:13:23AM +0300, Jarkko Sakkinen wrote:
> On Sat, Jul 18, 2026 at 10:28:17PM +0200, Fabrice Derepas wrote:
> > Two defects in trusted_dcp_unseal() combine to allow a heap
> > out-of-bounds write in kernel context.
> > 
> > The primary defect is a missing upper-bound check:
> > trusted_dcp_unseal() reads p->key_len from an attacker-supplied blob
> > with no validation that it is at most MAX_KEY_SIZE (128).  It then
> > passes p->key_len + DCP_BLOB_AUTHLEN to do_aead_crypto() as the
> > operation length.  Because p->key is only MAX_KEY_SIZE + 1 = 129
> > bytes, any payload_len above 128 in the blob overruns p->key.  On
> > implementations where AES-128-GCM decryption writes plaintext before
> > verifying the authentication tag, up to 330 bytes of out-of-bounds
> > heap overwrite can occur before -EBADMSG is returned.
> > 
> > The secondary defect is an integer overflow in calc_blob_len(), which
> > computes its sum in size_t but returns unsigned int, truncating the
> > result on 64-bit platforms.  This allows a crafted blob with
> > payload_len near UINT_MAX to bypass the sanity check
> > (blen != p->blob_len).  Due to a second wrap in the expression
> > p->key_len + DCP_BLOB_AUTHLEN (computed in unsigned int at the call
> > site), the len value that reaches do_aead_crypto() via this path is
> > at most 15 bytes and does not directly amplify the OOB write, but
> > the integrity check bypass must be fixed.
> > 
> > Fix the primary OOB by validating p->key_len against MIN_KEY_SIZE
> > and MAX_KEY_SIZE immediately after reading it from the blob, matching
> > the validation already performed in trusted_core.c on the Opt_new
> > path.  Fix the overflow by changing the return type of calc_blob_len()
> > to size_t; update the two blen declarations from int to size_t to
> > avoid narrowing-conversion warnings, and update the pr_err format
> > specifier for blen accordingly.
> > 
> > The seal path is not affected: p->key_len is validated by
> > trusted_core.c before trusted_dcp_seal() is called, and the
> > blen > MAX_BLOB_SIZE guard provides defence in depth there.
> > 
> > Exploitation requires high privileges.  The unseal path is reached
> > via add_key("trusted", ..., KEY_SPEC_*) with the Opt_load command,
> > which requires write permission to a keyring that accepts trusted
> > keys -- in practice CAP_SYS_ADMIN.  Additionally,
> > CONFIG_TRUSTED_KEYS_DCP must be enabled. The attacker must also supply
> > a crafted sealed blob, which in the typical dm-crypt use case means
> > either physical access to modify on-disk key material or a prior
> > compromise of a privileged process that writes the blob.
> 
> This is hypothesis of an exploit at most.
> 
> The change look while but this paragraph is way too abstract
> to qualify for anything.
> 
> > 
> > How this was found:
> > Found by applying the Squeeze Loop strategy ("The Squeeze Loop
> > Strategy: Catching Coherent-and-Wrong Artifacts with an
> > Author-Independent Executable Oracle," Zenodo
> > DOI 10.5281/zenodo.20787816, 2026) on its C terrain using
> > deductive verification.  The formal proof of calc_blob_len (12/12
> > goals discharged) required a no_wrap precondition on payload_len;
> > removing that precondition caused 3 of 6 proof goals to fail.
> > Tracing the caller path confirmed the bounds bypass and the missing
> > key_len validation.
> > 
> > Signed-off-by: Fabrice Derepas <fabrice.derepas@canonical.com>
> > ---
> >  security/keys/trusted-keys/trusted_dcp.c | 13 ++++++++++---
> >  1 file changed, 9 insertions(+), 4 deletions(-)
> > 
> > diff --git a/security/keys/trusted-keys/trusted_dcp.c b/security/keys/trusted-keys/trusted_dcp.c
> > index XXXXXXXXXXXXXXXX..YYYYYYYYYYYYYYYY 100644
> > --- a/security/keys/trusted-keys/trusted_dcp.c
> > +++ b/security/keys/trusted-keys/trusted_dcp.c
> > @@ -69,7 +69,7 @@ module_param_named(dcp_skip_zk_test, skip_zk_test, bool, 0);
> >  MODULE_PARM_DESC(dcp_skip_zk_test, "Don't test whether device keys are zero'ed");
> >  
> > -static unsigned int calc_blob_len(unsigned int payload_len)
> > +static size_t calc_blob_len(unsigned int payload_len)
> >  {
> >  	return sizeof(struct dcp_blob_fmt) + payload_len + DCP_BLOB_AUTHLEN;
> >  }
> > @@ -200,7 +200,8 @@ static int trusted_dcp_seal(struct trusted_key_payload *p, char *datablob)
> >  {
> >  	struct dcp_blob_fmt *b = (struct dcp_blob_fmt *)p->blob;
> > -	int blen, ret;
> > +	size_t blen;
> > +	int ret;
> >  	u8 *plain_blob_key;
> >  
> >  	blen = calc_blob_len(p->key_len);
> > @@ -242,21 +243,25 @@ static int trusted_dcp_unseal(struct trusted_key_payload *p, char *datablob)
> >  {
> >  	struct dcp_blob_fmt *b = (struct dcp_blob_fmt *)p->blob;
> > -	int blen, ret;
> > +	size_t blen;
> > +	int ret;
> >  	u8 *plain_blob_key = NULL;
> >  
> >  	if (b->fmt_version != DCP_BLOB_VERSION) {
> >  		pr_err("DCP blob has bad version: %i, expected %i\n",
> >  		       b->fmt_version, DCP_BLOB_VERSION);
> >  		ret = -EINVAL;
> >  		goto out;
> >  	}
> >  
> >  	p->key_len = le32_to_cpu(b->payload_len);
> > +	if (p->key_len < MIN_KEY_SIZE || p->key_len > MAX_KEY_SIZE)
> > +		return -EINVAL;
> > +
> >  	blen = calc_blob_len(p->key_len);
> >  	if (blen != p->blob_len) {
> > -		pr_err("DCP blob has bad length: %i != %i\n", blen,
> > +		pr_err("DCP blob has bad length: %zu != %u\n", blen,
> >  		       p->blob_len);
> >  		ret = -EINVAL;
> >  		goto out;
> > -- 
> > 2.43.0
> 
> As said, code changes themselves look reasonable but the commit message
> is painting a picture of impact that this bug really does not have.

If possible strip down the paragraph and add fixes tags (if possible,
I can dig it up too). With those requests send v2.

BR, Jarkko

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-07-18 22:16 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-18 20:28 [PATCH] KEYS: trusted: dcp: fix key_len validation and calc_blob_len() return type Fabrice Derepas
2026-07-18 21:12 ` Richard Weinberger
2026-07-18 22:13 ` Jarkko Sakkinen
2026-07-18 22:16   ` Jarkko Sakkinen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.