* [PATCH] PKCS#7: pkcs7_validate_trust(): initialize the _trusted output argument
@ 2016-03-20 22:23 Nicolai Stange
2016-03-23 12:59 ` Herbert Xu
0 siblings, 1 reply; 3+ messages in thread
From: Nicolai Stange @ 2016-03-20 22:23 UTC (permalink / raw)
To: David S. Miller
Cc: Herbert Xu, David Howells, Tadeusz Struk, linux-crypto,
linux-kernel, Nicolai Stange
Despite what the DocBook comment to pkcs7_validate_trust() says, the
*_trusted argument is never set to false.
pkcs7_validate_trust() only positively sets *_trusted upon encountering
a trusted PKCS#7 SignedInfo block.
This is quite unfortunate since its callers, system_verify_data() for
example, depend on pkcs7_validate_trust() clearing *_trusted on non-trust.
Indeed, UBSAN splats when attempting to load the uninitialized local
variable 'trusted' from system_verify_data() in pkcs7_validate_trust():
UBSAN: Undefined behaviour in crypto/asymmetric_keys/pkcs7_trust.c:194:14
load of value 82 is not a valid value for type '_Bool'
[...]
Call Trace:
[<ffffffff818c4d35>] dump_stack+0xbc/0x117
[<ffffffff818c4c79>] ? _atomic_dec_and_lock+0x169/0x169
[<ffffffff8194113b>] ubsan_epilogue+0xd/0x4e
[<ffffffff819419fa>] __ubsan_handle_load_invalid_value+0x111/0x158
[<ffffffff819418e9>] ? val_to_string.constprop.12+0xcf/0xcf
[<ffffffff818334a4>] ? x509_request_asymmetric_key+0x114/0x370
[<ffffffff814b83f0>] ? kfree+0x220/0x370
[<ffffffff818312c2>] ? public_key_verify_signature_2+0x32/0x50
[<ffffffff81835e04>] pkcs7_validate_trust+0x524/0x5f0
[<ffffffff813c391a>] system_verify_data+0xca/0x170
[<ffffffff813c3850>] ? top_trace_array+0x9b/0x9b
[<ffffffff81510b29>] ? __vfs_read+0x279/0x3d0
[<ffffffff8129372f>] mod_verify_sig+0x1ff/0x290
[...]
The implication is that pkcs7_validate_trust() effectively grants trust
when it really shouldn't have.
Fix this by explicitly setting *_trusted to false at the very beginning
of pkcs7_validate_trust().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
---
Applicable to linux-next-20160318
crypto/asymmetric_keys/pkcs7_trust.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c
index 3bbdcc7..7d7a39b4 100644
--- a/crypto/asymmetric_keys/pkcs7_trust.c
+++ b/crypto/asymmetric_keys/pkcs7_trust.c
@@ -178,6 +178,8 @@ int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
int cached_ret = -ENOKEY;
int ret;
+ *_trusted = false;
+
for (p = pkcs7->certs; p; p = p->next)
p->seen = false;
--
2.7.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] PKCS#7: pkcs7_validate_trust(): initialize the _trusted output argument
2016-03-20 22:23 [PATCH] PKCS#7: pkcs7_validate_trust(): initialize the _trusted output argument Nicolai Stange
@ 2016-03-23 12:59 ` Herbert Xu
2016-03-23 14:00 ` Nicolai Stange
0 siblings, 1 reply; 3+ messages in thread
From: Herbert Xu @ 2016-03-23 12:59 UTC (permalink / raw)
To: Nicolai Stange
Cc: David S. Miller, David Howells, Tadeusz Struk, linux-crypto,
linux-kernel
On Sun, Mar 20, 2016 at 11:23:46PM +0100, Nicolai Stange wrote:
> Despite what the DocBook comment to pkcs7_validate_trust() says, the
> *_trusted argument is never set to false.
>
> pkcs7_validate_trust() only positively sets *_trusted upon encountering
> a trusted PKCS#7 SignedInfo block.
>
> This is quite unfortunate since its callers, system_verify_data() for
> example, depend on pkcs7_validate_trust() clearing *_trusted on non-trust.
>
> Indeed, UBSAN splats when attempting to load the uninitialized local
> variable 'trusted' from system_verify_data() in pkcs7_validate_trust():
>
> UBSAN: Undefined behaviour in crypto/asymmetric_keys/pkcs7_trust.c:194:14
> load of value 82 is not a valid value for type '_Bool'
> [...]
> Call Trace:
> [<ffffffff818c4d35>] dump_stack+0xbc/0x117
> [<ffffffff818c4c79>] ? _atomic_dec_and_lock+0x169/0x169
> [<ffffffff8194113b>] ubsan_epilogue+0xd/0x4e
> [<ffffffff819419fa>] __ubsan_handle_load_invalid_value+0x111/0x158
> [<ffffffff819418e9>] ? val_to_string.constprop.12+0xcf/0xcf
> [<ffffffff818334a4>] ? x509_request_asymmetric_key+0x114/0x370
> [<ffffffff814b83f0>] ? kfree+0x220/0x370
> [<ffffffff818312c2>] ? public_key_verify_signature_2+0x32/0x50
> [<ffffffff81835e04>] pkcs7_validate_trust+0x524/0x5f0
> [<ffffffff813c391a>] system_verify_data+0xca/0x170
> [<ffffffff813c3850>] ? top_trace_array+0x9b/0x9b
> [<ffffffff81510b29>] ? __vfs_read+0x279/0x3d0
> [<ffffffff8129372f>] mod_verify_sig+0x1ff/0x290
> [...]
>
> The implication is that pkcs7_validate_trust() effectively grants trust
> when it really shouldn't have.
>
> Fix this by explicitly setting *_trusted to false at the very beginning
> of pkcs7_validate_trust().
>
> Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Patch applied. Thanks!
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] PKCS#7: pkcs7_validate_trust(): initialize the _trusted output argument
2016-03-23 12:59 ` Herbert Xu
@ 2016-03-23 14:00 ` Nicolai Stange
0 siblings, 0 replies; 3+ messages in thread
From: Nicolai Stange @ 2016-03-23 14:00 UTC (permalink / raw)
To: Herbert Xu
Cc: Nicolai Stange, David S. Miller, David Howells, Tadeusz Struk,
linux-crypto, linux-kernel
Herbert Xu <herbert@gondor.apana.org.au> writes:
> On Sun, Mar 20, 2016 at 11:23:46PM +0100, Nicolai Stange wrote:
>> Despite what the DocBook comment to pkcs7_validate_trust() says, the
>> *_trusted argument is never set to false.
>>
>> pkcs7_validate_trust() only positively sets *_trusted upon encountering
>> a trusted PKCS#7 SignedInfo block.
>>
>> This is quite unfortunate since its callers, system_verify_data() for
>> example, depend on pkcs7_validate_trust() clearing *_trusted on non-trust.
>>
>> Indeed, UBSAN splats when attempting to load the uninitialized local
>> variable 'trusted' from system_verify_data() in pkcs7_validate_trust():
>>
>> UBSAN: Undefined behaviour in crypto/asymmetric_keys/pkcs7_trust.c:194:14
>> load of value 82 is not a valid value for type '_Bool'
>> [...]
>> Call Trace:
>> [<ffffffff818c4d35>] dump_stack+0xbc/0x117
>> [<ffffffff818c4c79>] ? _atomic_dec_and_lock+0x169/0x169
>> [<ffffffff8194113b>] ubsan_epilogue+0xd/0x4e
>> [<ffffffff819419fa>] __ubsan_handle_load_invalid_value+0x111/0x158
>> [<ffffffff819418e9>] ? val_to_string.constprop.12+0xcf/0xcf
>> [<ffffffff818334a4>] ? x509_request_asymmetric_key+0x114/0x370
>> [<ffffffff814b83f0>] ? kfree+0x220/0x370
>> [<ffffffff818312c2>] ? public_key_verify_signature_2+0x32/0x50
>> [<ffffffff81835e04>] pkcs7_validate_trust+0x524/0x5f0
>> [<ffffffff813c391a>] system_verify_data+0xca/0x170
>> [<ffffffff813c3850>] ? top_trace_array+0x9b/0x9b
>> [<ffffffff81510b29>] ? __vfs_read+0x279/0x3d0
>> [<ffffffff8129372f>] mod_verify_sig+0x1ff/0x290
>> [...]
>>
>> The implication is that pkcs7_validate_trust() effectively grants trust
>> when it really shouldn't have.
>>
>> Fix this by explicitly setting *_trusted to false at the very beginning
>> of pkcs7_validate_trust().
>>
>> Signed-off-by: Nicolai Stange <nicstange@gmail.com>
>
> Patch applied. Thanks!
Thank you very much!
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-03-23 14:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-20 22:23 [PATCH] PKCS#7: pkcs7_validate_trust(): initialize the _trusted output argument Nicolai Stange
2016-03-23 12:59 ` Herbert Xu
2016-03-23 14:00 ` Nicolai Stange
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).