[PATCH] ima: fix reference leak in asymmetric

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] ima: fix reference leak in asymmetric_verify()
@ 2022-01-13 19:44 Eric Biggers
  2022-01-13 20:39 ` Stefan Berger
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Eric Biggers @ 2022-01-13 19:44 UTC (permalink / raw)
  To: linux-integrity, Mimi Zohar, Dmitry Kasatkin
  Cc: keyrings, Vitaly Chikunov, Tianjia Zhang, Stefan Berger,
	Herbert Xu, stable

From: Eric Biggers <ebiggers@google.com>

Don't leak a reference to the key if its algorithm is unknown.

Fixes: 947d70597236 ("ima: Support EC keys for signature verification")
Cc: <stable@vger.kernel.org> # v5.13+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 security/integrity/digsig_asymmetric.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index 23240d793b07..895f4b9ce8c6 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -109,22 +109,25 @@ int asymmetric_verify(struct key *keyring, const char *sig,
 
 	pk = asymmetric_key_public_key(key);
 	pks.pkey_algo = pk->pkey_algo;
-	if (!strcmp(pk->pkey_algo, "rsa"))
+	if (!strcmp(pk->pkey_algo, "rsa")) {
 		pks.encoding = "pkcs1";
-	else if (!strncmp(pk->pkey_algo, "ecdsa-", 6))
+	} else if (!strncmp(pk->pkey_algo, "ecdsa-", 6)) {
 		/* edcsa-nist-p192 etc. */
 		pks.encoding = "x962";
-	else if (!strcmp(pk->pkey_algo, "ecrdsa") ||
-		   !strcmp(pk->pkey_algo, "sm2"))
+	} else if (!strcmp(pk->pkey_algo, "ecrdsa") ||
+		   !strcmp(pk->pkey_algo, "sm2")) {
 		pks.encoding = "raw";
-	else
-		return -ENOPKG;
+	} else {
+		ret = -ENOPKG;
+		goto out;
+	}
 
 	pks.digest = (u8 *)data;
 	pks.digest_size = datalen;
 	pks.s = hdr->sig;
 	pks.s_size = siglen;
 	ret = verify_signature(key, &pks);
+out:
 	key_put(key);
 	pr_debug("%s() = %d\n", __func__, ret);
 	return ret;

base-commit: feb7a43de5ef625ad74097d8fd3481d5dbc06a59
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] ima: fix reference leak in asymmetric_verify()
  2022-01-13 19:44 [PATCH] ima: fix reference leak in asymmetric_verify() Eric Biggers
@ 2022-01-13 20:39 ` Stefan Berger
  2022-01-14  1:52 ` Mimi Zohar
  2022-01-14  2:47 ` Tianjia Zhang
  2 siblings, 0 replies; 6+ messages in thread
From: Stefan Berger @ 2022-01-13 20:39 UTC (permalink / raw)
  To: Eric Biggers, linux-integrity, Mimi Zohar, Dmitry Kasatkin
  Cc: keyrings, Vitaly Chikunov, Tianjia Zhang, Herbert Xu, stable


On 1/13/22 14:44, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> Don't leak a reference to the key if its algorithm is unknown.
>
> Fixes: 947d70597236 ("ima: Support EC keys for signature verification")
> Cc: <stable@vger.kernel.org> # v5.13+
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>   security/integrity/digsig_asymmetric.c | 15 +++++++++------
>   1 file changed, 9 insertions(+), 6 deletions(-)
>
> diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
> index 23240d793b07..895f4b9ce8c6 100644
> --- a/security/integrity/digsig_asymmetric.c
> +++ b/security/integrity/digsig_asymmetric.c
> @@ -109,22 +109,25 @@ int asymmetric_verify(struct key *keyring, const char *sig,
>   
>   	pk = asymmetric_key_public_key(key);
>   	pks.pkey_algo = pk->pkey_algo;
> -	if (!strcmp(pk->pkey_algo, "rsa"))
> +	if (!strcmp(pk->pkey_algo, "rsa")) {
>   		pks.encoding = "pkcs1";
> -	else if (!strncmp(pk->pkey_algo, "ecdsa-", 6))
> +	} else if (!strncmp(pk->pkey_algo, "ecdsa-", 6)) {
>   		/* edcsa-nist-p192 etc. */
>   		pks.encoding = "x962";
> -	else if (!strcmp(pk->pkey_algo, "ecrdsa") ||
> -		   !strcmp(pk->pkey_algo, "sm2"))
> +	} else if (!strcmp(pk->pkey_algo, "ecrdsa") ||
> +		   !strcmp(pk->pkey_algo, "sm2")) {
>   		pks.encoding = "raw";
> -	else
> -		return -ENOPKG;
> +	} else {
> +		ret = -ENOPKG;
> +		goto out;
> +	}
>   
>   	pks.digest = (u8 *)data;
>   	pks.digest_size = datalen;
>   	pks.s = hdr->sig;
>   	pks.s_size = siglen;
>   	ret = verify_signature(key, &pks);
> +out:
>   	key_put(key);
>   	pr_debug("%s() = %d\n", __func__, ret);
>   	return ret;
>
> base-commit: feb7a43de5ef625ad74097d8fd3481d5dbc06a59


Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] ima: fix reference leak in asymmetric_verify()
  2022-01-13 19:44 [PATCH] ima: fix reference leak in asymmetric_verify() Eric Biggers
  2022-01-13 20:39 ` Stefan Berger
@ 2022-01-14  1:52 ` Mimi Zohar
  2022-01-19  0:18   ` Eric Biggers
  2022-01-14  2:47 ` Tianjia Zhang
  2 siblings, 1 reply; 6+ messages in thread
From: Mimi Zohar @ 2022-01-14  1:52 UTC (permalink / raw)
  To: Eric Biggers, linux-integrity, Dmitry Kasatkin
  Cc: keyrings, Vitaly Chikunov, Tianjia Zhang, Stefan Berger,
	Herbert Xu, stable

Hi Eric,

On Thu, 2022-01-13 at 11:44 -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> Don't leak a reference to the key if its algorithm is unknown.
> 
> Fixes: 947d70597236 ("ima: Support EC keys for signature verification")
> Cc: <stable@vger.kernel.org> # v5.13+
> Signed-off-by: Eric Biggers <ebiggers@google.com>

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

thanks,

Mimi


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] ima: fix reference leak in asymmetric_verify()
  2022-01-13 19:44 [PATCH] ima: fix reference leak in asymmetric_verify() Eric Biggers
  2022-01-13 20:39 ` Stefan Berger
  2022-01-14  1:52 ` Mimi Zohar
@ 2022-01-14  2:47 ` Tianjia Zhang
  2 siblings, 0 replies; 6+ messages in thread
From: Tianjia Zhang @ 2022-01-14  2:47 UTC (permalink / raw)
  To: Eric Biggers, linux-integrity, Mimi Zohar, Dmitry Kasatkin
  Cc: keyrings, Vitaly Chikunov, Stefan Berger, Herbert Xu, stable

Hi Eric,

On 1/14/22 3:44 AM, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> Don't leak a reference to the key if its algorithm is unknown.
> 
> Fixes: 947d70597236 ("ima: Support EC keys for signature verification")
> Cc: <stable@vger.kernel.org> # v5.13+
> Signed-off-by: Eric Biggers <ebiggers@google.com>

LGTM.

Reviewed-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

Best regards,
Tianjia

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] ima: fix reference leak in asymmetric_verify()
  2022-01-14  1:52 ` Mimi Zohar
@ 2022-01-19  0:18   ` Eric Biggers
  2022-01-19  0:28     ` Mimi Zohar
  0 siblings, 1 reply; 6+ messages in thread
From: Eric Biggers @ 2022-01-19  0:18 UTC (permalink / raw)
  To: Mimi Zohar
  Cc: linux-integrity, Dmitry Kasatkin, keyrings, Vitaly Chikunov,
	Tianjia Zhang, Stefan Berger, Herbert Xu, stable

On Thu, Jan 13, 2022 at 08:52:59PM -0500, Mimi Zohar wrote:
> Hi Eric,
> 
> On Thu, 2022-01-13 at 11:44 -0800, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@google.com>
> > 
> > Don't leak a reference to the key if its algorithm is unknown.
> > 
> > Fixes: 947d70597236 ("ima: Support EC keys for signature verification")
> > Cc: <stable@vger.kernel.org> # v5.13+
> > Signed-off-by: Eric Biggers <ebiggers@google.com>
> 
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> 

Thanks.  You're intending to apply this patch, right?  Or are you expecting
someone else to?  get_maintainer.pl didn't associate this file with IMA, but I
see you sent out a patch to fix that
(https://lore.kernel.org/linux-integrity/20220117230229.16475-1-zohar@linux.ibm.com/T/#u).

- Eric

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] ima: fix reference leak in asymmetric_verify()
  2022-01-19  0:18   ` Eric Biggers
@ 2022-01-19  0:28     ` Mimi Zohar
  0 siblings, 0 replies; 6+ messages in thread
From: Mimi Zohar @ 2022-01-19  0:28 UTC (permalink / raw)
  To: Eric Biggers
  Cc: linux-integrity, Dmitry Kasatkin, keyrings, Vitaly Chikunov,
	Tianjia Zhang, Stefan Berger, Herbert Xu, stable

On Tue, 2022-01-18 at 16:18 -0800, Eric Biggers wrote:
> On Thu, Jan 13, 2022 at 08:52:59PM -0500, Mimi Zohar wrote:
> > Hi Eric,
> > 
> > On Thu, 2022-01-13 at 11:44 -0800, Eric Biggers wrote:
> > > From: Eric Biggers <ebiggers@google.com>
> > > 
> > > Don't leak a reference to the key if its algorithm is unknown.
> > > 
> > > Fixes: 947d70597236 ("ima: Support EC keys for signature verification")
> > > Cc: <stable@vger.kernel.org> # v5.13+
> > > Signed-off-by: Eric Biggers <ebiggers@google.com>
> > 
> > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > 
> 
> Thanks.  You're intending to apply this patch, right?  Or are you expecting
> someone else to?  get_maintainer.pl didn't associate this file with IMA, but I
> see you sent out a patch to fix that
> (https://lore.kernel.org/linux-integrity/20220117230229.16475-1-zohar@linux.ibm.com/T/#u).

Once the open window closes, I'll apply it.

Mimi


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2022-01-19  0:28 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-01-13 19:44 [PATCH] ima: fix reference leak in asymmetric_verify() Eric Biggers
2022-01-13 20:39 ` Stefan Berger
2022-01-14  1:52 ` Mimi Zohar
2022-01-19  0:18   ` Eric Biggers
2022-01-19  0:28     ` Mimi Zohar
2022-01-14  2:47 ` Tianjia Zhang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).