From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mimi Zohar <zohar@linux.vnet.ibm.com>,
David Safford <safford@us.ibm.com>,
Eric Biggers <ebiggers@google.com>,
David Howells <dhowells@redhat.com>,
James Morris <james.l.morris@oracle.com>
Subject: [PATCH 3.18 16/28] KEYS: trusted: sanitize all key material
Date: Mon, 13 Nov 2017 13:55:10 +0100 [thread overview]
Message-ID: <20171113125402.302314164@linuxfoundation.org> (raw)
In-Reply-To: <20171113125400.803506921@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit ee618b4619b72527aaed765f0f0b74072b281159 upstream.
As the previous patch did for encrypted-keys, zero sensitive any
potentially sensitive data related to the "trusted" key type before it
is freed. Notably, we were not zeroing the tpm_buf structures in which
the actual key is stored for TPM seal and unseal, nor were we zeroing
the trusted_key_payload in certain error paths.
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: David Safford <safford@us.ibm.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/keys/trusted.c | 49 +++++++++++++++++++++---------------------------
1 file changed, 22 insertions(+), 27 deletions(-)
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -69,7 +69,7 @@ static int TSS_sha1(const unsigned char
}
ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest);
- kfree(sdesc);
+ kzfree(sdesc);
return ret;
}
@@ -113,7 +113,7 @@ static int TSS_rawhmac(unsigned char *di
if (!ret)
ret = crypto_shash_final(&sdesc->shash, digest);
out:
- kfree(sdesc);
+ kzfree(sdesc);
return ret;
}
@@ -164,7 +164,7 @@ static int TSS_authhmac(unsigned char *d
paramdigest, TPM_NONCE_SIZE, h1,
TPM_NONCE_SIZE, h2, 1, &c, 0, 0);
out:
- kfree(sdesc);
+ kzfree(sdesc);
return ret;
}
@@ -245,7 +245,7 @@ static int TSS_checkhmac1(unsigned char
if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE))
ret = -EINVAL;
out:
- kfree(sdesc);
+ kzfree(sdesc);
return ret;
}
@@ -346,7 +346,7 @@ static int TSS_checkhmac2(unsigned char
if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE))
ret = -EINVAL;
out:
- kfree(sdesc);
+ kzfree(sdesc);
return ret;
}
@@ -563,7 +563,7 @@ static int tpm_seal(struct tpm_buf *tb,
*bloblen = storedsize;
}
out:
- kfree(td);
+ kzfree(td);
return ret;
}
@@ -677,7 +677,7 @@ static int key_seal(struct trusted_key_p
if (ret < 0)
pr_info("trusted_key: srkseal failed (%d)\n", ret);
- kfree(tb);
+ kzfree(tb);
return ret;
}
@@ -702,7 +702,7 @@ static int key_unseal(struct trusted_key
/* pull migratable flag out of sealed key */
p->migratable = p->key[--p->key_len];
- kfree(tb);
+ kzfree(tb);
return ret;
}
@@ -961,12 +961,12 @@ static int trusted_instantiate(struct ke
if (!ret && options->pcrlock)
ret = pcrlock(options->pcrlock);
out:
- kfree(datablob);
- kfree(options);
+ kzfree(datablob);
+ kzfree(options);
if (!ret)
rcu_assign_keypointer(key, payload);
else
- kfree(payload);
+ kzfree(payload);
return ret;
}
@@ -975,8 +975,7 @@ static void trusted_rcu_free(struct rcu_
struct trusted_key_payload *p;
p = container_of(rcu, struct trusted_key_payload, rcu);
- memset(p->key, 0, p->key_len);
- kfree(p);
+ kzfree(p);
}
/*
@@ -1018,9 +1017,10 @@ static int trusted_update(struct key *ke
ret = datablob_parse(datablob, new_p, new_o);
if (ret != Opt_update) {
ret = -EINVAL;
- kfree(new_p);
+ kzfree(new_p);
goto out;
}
+
/* copy old key values, and reseal with new pcrs */
new_p->migratable = p->migratable;
new_p->key_len = p->key_len;
@@ -1031,22 +1031,22 @@ static int trusted_update(struct key *ke
ret = key_seal(new_p, new_o);
if (ret < 0) {
pr_info("trusted_key: key_seal failed (%d)\n", ret);
- kfree(new_p);
+ kzfree(new_p);
goto out;
}
if (new_o->pcrlock) {
ret = pcrlock(new_o->pcrlock);
if (ret < 0) {
pr_info("trusted_key: pcrlock failed (%d)\n", ret);
- kfree(new_p);
+ kzfree(new_p);
goto out;
}
}
rcu_assign_keypointer(key, new_p);
call_rcu(&p->rcu, trusted_rcu_free);
out:
- kfree(datablob);
- kfree(new_o);
+ kzfree(datablob);
+ kzfree(new_o);
return ret;
}
@@ -1075,24 +1075,19 @@ static long trusted_read(const struct ke
for (i = 0; i < p->blob_len; i++)
bufp = hex_byte_pack(bufp, p->blob[i]);
if ((copy_to_user(buffer, ascii_buf, 2 * p->blob_len)) != 0) {
- kfree(ascii_buf);
+ kzfree(ascii_buf);
return -EFAULT;
}
- kfree(ascii_buf);
+ kzfree(ascii_buf);
return 2 * p->blob_len;
}
/*
- * trusted_destroy - before freeing the key, clear the decrypted data
+ * trusted_destroy - clear and free the key's payload
*/
static void trusted_destroy(struct key *key)
{
- struct trusted_key_payload *p = key->payload.data;
-
- if (!p)
- return;
- memset(p->key, 0, p->key_len);
- kfree(key->payload.data);
+ kzfree(key->payload.data);
}
struct key_type key_type_trusted = {
next prev parent reply other threads:[~2017-11-13 12:55 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-13 12:54 [PATCH 3.18 00/28] 3.18.81-stable review Greg Kroah-Hartman
2017-11-13 12:54 ` [PATCH 3.18 01/28] video: fbdev: pmag-ba-fb: Remove bad `__init annotation Greg Kroah-Hartman
2017-11-13 12:54 ` [PATCH 3.18 02/28] xen/netback: set default upper limit of tx/rx queues to 8 Greg Kroah-Hartman
2017-11-13 12:54 ` [PATCH 3.18 03/28] ARM: dts: imx53-qsb-common: fix FEC pinmux config Greg Kroah-Hartman
2017-11-16 4:08 ` Patrick Brünn
2017-11-13 12:54 ` [PATCH 3.18 05/28] ARM: omap2plus_defconfig: Fix probe errors on UARTs 5 and 6 Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 06/28] iio: trigger: free trigger resource correctly Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 07/28] dt-bindings: Add LEGO MINDSTORMS EV3 compatible specification Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 08/28] dt-bindings: Add vendor prefix for LEGO Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 10/28] serial: sh-sci: Fix register offsets for the IRDA serial port Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 11/28] usb: hcd: initialize hcd->flags to 0 when rm hcd Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 12/28] IPsec: do not ignore crypto err in ah4 input Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 13/28] Input: mpr121 - handle multiple bits change of status register Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 14/28] Input: mpr121 - set missing event capability Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 15/28] IB/ipoib: Change list_del to list_del_init in the tx object Greg Kroah-Hartman
2017-11-13 12:55 ` Greg Kroah-Hartman [this message]
2017-11-13 12:55 ` [PATCH 3.18 17/28] KEYS: trusted: fix writing past end of buffer in trusted_read() Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 18/28] crypto: x86/sha1-mb - fix panic due to unaligned access Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 19/28] KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2] Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 20/28] ARM: 8720/1: ensure dump_instr() checks addr_limit Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 21/28] ALSA: seq: Fix OSS sysex delivery in OSS emulation Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 22/28] ALSA: seq: Avoid invalid lockdep class warning Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 23/28] MIPS: microMIPS: Fix incorrect mask in insn_table_MM Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 24/28] MIPS: Fix CM region target definitions Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 25/28] MIPS: AR7: Ensure that serial ports are properly set up Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 26/28] rbd: use GFP_NOIO for parent stat and data requests Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 28/28] x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context Greg Kroah-Hartman
2017-11-13 21:50 ` [PATCH 3.18 00/28] 3.18.81-stable review Shuah Khan
2017-11-14 7:43 ` Greg Kroah-Hartman
2017-11-13 22:27 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171113125402.302314164@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dhowells@redhat.com \
--cc=ebiggers@google.com \
--cc=james.l.morris@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=safford@us.ibm.com \
--cc=stable@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).