[PATCH] ima: Make a copy of sig and digest in asymmetric_verify()
Roberto Sassu
roberto.sassu at huaweicloud.com
Fri Nov 4 12:20:23 UTC 2022
From: Roberto Sassu <roberto.sassu at huawei.com>
Commit ac4e97abce9b8 ("scatterlist: sg_set_buf() argument must be in linear
mapping") requires that both the signature and the digest resides in the
linear mapping area.
However, more recently commit ba14a194a434c ("fork: Add generic vmalloced
stack support"), made it possible to move the stack in the vmalloc area,
which could make the requirement of the first commit not satisfied anymore.
If CONFIG_SG=y and CONFIG_VMAP_STACK=y, the following BUG() is triggered:
[ 467.077359] kernel BUG at include/linux/scatterlist.h:163!
[ 467.077939] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[...]
[ 467.095225] Call Trace:
[ 467.096088] <TASK>
[ 467.096928] ? rcu_read_lock_held_common+0xe/0x50
[ 467.097569] ? rcu_read_lock_sched_held+0x13/0x70
[ 467.098123] ? trace_hardirqs_on+0x2c/0xd0
[ 467.098647] ? public_key_verify_signature+0x470/0x470
[ 467.099237] asymmetric_verify+0x14c/0x300
[ 467.099869] evm_verify_hmac+0x245/0x360
[ 467.100391] evm_inode_setattr+0x43/0x190
The failure happens only for the digest, as the pointer comes from the
stack, and not for the signature, which instead was allocated by
vfs_getxattr_alloc().
Fix this by making a copy of both in asymmetric_verify(), so that the
linear mapping requirement is always satisfied, regardless of the caller.
Cc: stable at vger.kernel.org # 4.9.x
Fixes: ba14a194a434 ("fork: Add generic vmalloced stack support")
Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
---
security/integrity/digsig_asymmetric.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index 895f4b9ce8c6..635238d5c7fe 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -122,11 +122,26 @@ int asymmetric_verify(struct key *keyring, const char *sig,
goto out;
}
- pks.digest = (u8 *)data;
+ pks.digest = kmemdup(data, datalen, GFP_KERNEL);
+ if (!pks.digest) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
pks.digest_size = datalen;
- pks.s = hdr->sig;
+
+ pks.s = kmemdup(hdr->sig, siglen, GFP_KERNEL);
+ if (!pks.s) {
+ kfree(pks.digest);
+ ret = -ENOMEM;
+ goto out;
+ }
+
pks.s_size = siglen;
+
ret = verify_signature(key, &pks);
+ kfree(pks.digest);
+ kfree(pks.s);
out:
key_put(key);
pr_debug("%s() = %d\n", __func__, ret);
--
2.25.1
More information about the Linux-security-module-archive
mailing list