[PATCH v2 1/2] evm: Alloc evm_digest in evm_verify_hmac() if CONFIG_VMAP_STACK=y
Mimi Zohar
zohar at linux.ibm.com
Thu Dec 8 01:26:26 UTC 2022
On Mon, 2022-12-05 at 09:22 +0100, Roberto Sassu wrote:
> On Fri, 2022-12-02 at 10:49 -0800, Eric Biggers wrote:
> > On Fri, Dec 02, 2022 at 08:58:21AM +0100, Roberto Sassu wrote:
> > > On Thu, 2022-12-01 at 10:53 -0800, Eric Biggers wrote:
> > > > On Thu, Dec 01, 2022 at 11:06:24AM +0100, Roberto Sassu wrote:
> > > > > From: Roberto Sassu <roberto.sassu at huawei.com>
> > > > >
> > > > > Commit ac4e97abce9b8 ("scatterlist: sg_set_buf() argument must be in linear
> > > > > mapping") checks that both the signature and the digest reside in the
> > > > > linear mapping area.
> > > > >
> > > > > However, more recently commit ba14a194a434c ("fork: Add generic vmalloced
> > > > > stack support"), made it possible to move the stack in the vmalloc area,
> > > > > which is not contiguous, and thus not suitable for sg_set_buf() which needs
> > > > > adjacent pages.
> > > > >
> > > > > Fix this by checking if CONFIG_VMAP_STACK is enabled. If yes, allocate an
> > > > > evm_digest structure, and use that instead of the in-stack counterpart.
> > > > >
> > > > > Cc: stable at vger.kernel.org # 4.9.x
> > > > > Fixes: ba14a194a434 ("fork: Add generic vmalloced stack support")
> > > > > Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
> > > > > ---
> > > > > security/integrity/evm/evm_main.c | 26 +++++++++++++++++++++-----
> > > > > 1 file changed, 21 insertions(+), 5 deletions(-)
> > > > >
> > > > > diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> > > > > index 23d484e05e6f..7f76d6103f2e 100644
> > > > > --- a/security/integrity/evm/evm_main.c
> > > > > +++ b/security/integrity/evm/evm_main.c
> > > > > @@ -174,6 +174,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
> > > > > struct signature_v2_hdr *hdr;
> > > > > enum integrity_status evm_status = INTEGRITY_PASS;
> > > > > struct evm_digest digest;
> > > > > + struct evm_digest *digest_ptr = &digest;
> > > > > struct inode *inode;
> > > > > int rc, xattr_len, evm_immutable = 0;
> > > > >
> > > > > @@ -231,14 +232,26 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
> > > > > }
> > > > >
> > > > > hdr = (struct signature_v2_hdr *)xattr_data;
> > > > > - digest.hdr.algo = hdr->hash_algo;
> > > > > +
> > > > > + if (IS_ENABLED(CONFIG_VMAP_STACK)) {
> > > > > + digest_ptr = kmalloc(sizeof(*digest_ptr), GFP_NOFS);
> > > > > + if (!digest_ptr) {
> > > > > + rc = -ENOMEM;
> > > > > + break;
> > > > > + }
> > > > > + }
> > > > > +
> > > > > + digest_ptr->hdr.algo = hdr->hash_algo;
> > > > > +
> > > > > rc = evm_calc_hash(dentry, xattr_name, xattr_value,
> > > > > - xattr_value_len, xattr_data->type, &digest);
> > > > > + xattr_value_len, xattr_data->type,
> > > > > + digest_ptr);
> > > > > if (rc)
> > > > > break;
> > > > > rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
> > > > > (const char *)xattr_data, xattr_len,
> > > > > - digest.digest, digest.hdr.length);
> > > > > + digest_ptr->digest,
> > > > > + digest_ptr->hdr.length);
> > > > > if (!rc) {
> > > > > inode = d_backing_inode(dentry);
> > > > >
> > > > > @@ -268,8 +281,11 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
> > > > > else
> > > > > evm_status = INTEGRITY_FAIL;
> > > > > }
> > > > > - pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length, digest.hdr.length,
> > > > > - digest.digest);
> > > > > + pr_debug("digest: (%d) [%*phN]\n", digest_ptr->hdr.length,
> > > > > + digest_ptr->hdr.length, digest_ptr->digest);
> > > > > +
> > > > > + if (digest_ptr && digest_ptr != &digest)
> > > > > + kfree(digest_ptr);
> > > >
> > > > What is the actual problem here? Where is a scatterlist being created from this
> > > > buffer? AFAICS it never happens.
> > >
> > > Hi Eric
> > >
> > > it is in public_key_verify_signature(), called by asymmetric_verify()
> > > and integrity_digsig_verify().
> > >
> >
> > Hmm, that's several steps down the stack then. And not something I had
> > expected.
> >
> > Perhaps this should be fixed in public_key_verify_signature() instead? It
> > already does a kmalloc(), so that allocation size just could be made a bit
> > larger to get space for a temporary copy of 's' and 'digest'.
>
> Mimi asked to fix it in both IMA and EVM.
At the time I thought the problem was limited to
integrity_digsig_verify() and just to the digest.
I'll leave it up to you and Eric to decide what is the preferable
solution.
>
> > Or at the very least, struct public_key_signature should have a *very* clear
> > comment saying that the 's' and 'digest' fields must be located in physically
> > contiguous memory...
>
> That I could add as an additional patch.
Thanks, the new patch containing the comment looks fine.
--
thanks,
Mimi
More information about the Linux-security-module-archive
mailing list