From: Mimi Zohar <zohar@linux.ibm.com>
To: Roberto Sassu <roberto.sassu@huaweicloud.com>,
dmitry.kasatkin@gmail.com, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
Roberto Sassu <roberto.sassu@huawei.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] ima: Make a copy of sig and digest in asymmetric_verify()
Date: Wed, 23 Nov 2022 08:40:40 -0500 [thread overview]
Message-ID: <c6c448c2acc07caf840046067322f3e1110cedff.camel@linux.ibm.com> (raw)
In-Reply-To: <a676b387d23f9ca630418ece20a6761a9437ce76.camel@huaweicloud.com>
On Wed, 2022-11-23 at 13:56 +0100, Roberto Sassu wrote:
> On Tue, 2022-11-22 at 14:39 -0500, Mimi Zohar wrote:
> > Hi Roberto,
> >
> > On Fri, 2022-11-04 at 13:20 +0100, Roberto Sassu wrote:
> > > From: Roberto Sassu <roberto.sassu@huawei.com>
> > >
> > > Commit ac4e97abce9b8 ("scatterlist: sg_set_buf() argument must be in linear
> > > mapping") requires that both the signature and the digest resides in the
> > > linear mapping area.
> > >
> > > However, more recently commit ba14a194a434c ("fork: Add generic vmalloced
> > > stack support"), made it possible to move the stack in the vmalloc area,
> > > which could make the requirement of the first commit not satisfied anymore.
> > >
> > > If CONFIG_SG=y and CONFIG_VMAP_STACK=y, the following BUG() is triggered:
> >
> > ^CONFIG_DEBUG_SG
> >
> > > [ 467.077359] kernel BUG at include/linux/scatterlist.h:163!
> > > [ 467.077939] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
> > >
> > > [...]
> > >
> > > [ 467.095225] Call Trace:
> > > [ 467.096088] <TASK>
> > > [ 467.096928] ? rcu_read_lock_held_common+0xe/0x50
> > > [ 467.097569] ? rcu_read_lock_sched_held+0x13/0x70
> > > [ 467.098123] ? trace_hardirqs_on+0x2c/0xd0
> > > [ 467.098647] ? public_key_verify_signature+0x470/0x470
> > > [ 467.099237] asymmetric_verify+0x14c/0x300
> > > [ 467.099869] evm_verify_hmac+0x245/0x360
> > > [ 467.100391] evm_inode_setattr+0x43/0x190
> > >
> > > The failure happens only for the digest, as the pointer comes from the
> > > stack, and not for the signature, which instead was allocated by
> > > vfs_getxattr_alloc().
> >
> > Only after enabling CONFIG_DEBUG_SG does EVM fail.
> >
> > > Fix this by making a copy of both in asymmetric_verify(), so that the
> > > linear mapping requirement is always satisfied, regardless of the caller.
> >
> > As only EVM is affected, it would make more sense to limit the change
> > to EVM.
>
> I found another occurrence:
>
> static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint,
> struct evm_ima_xattr_data *xattr_value, int xattr_len,
> enum integrity_status *status, const char **cause)
> {
>
> [...]
>
> rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
> (const char *)xattr_value,
> xattr_len, hash.digest,
> hash.hdr.length);
>
> Should I do two patches?
I'm just not getting it. Why did you enable CONFIG_DEBUG_SIG? Were
you testing random kernel configs? Are you actually seeing signature
verifications errors without it enabled? Or is it causing other
problems? Is the "BUG_ON" still needed?
If you're going to fix the EVM and IMA callers, then make them separate
patches.
--
thanks,
Mimi
next prev parent reply other threads:[~2022-11-23 13:51 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-04 12:20 [PATCH] ima: Make a copy of sig and digest in asymmetric_verify() Roberto Sassu
2022-11-21 13:39 ` Roberto Sassu
2022-11-22 19:39 ` Mimi Zohar
2022-11-23 12:56 ` Roberto Sassu
2022-11-23 13:40 ` Mimi Zohar [this message]
2022-11-23 13:49 ` Roberto Sassu
2022-11-30 14:41 ` Roberto Sassu
2022-11-30 16:22 ` Mimi Zohar
2022-11-30 16:24 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c6c448c2acc07caf840046067322f3e1110cedff.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=roberto.sassu@huaweicloud.com \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).