Commit 2faac9a9 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'keys-fixes-20230321' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs 

Pull keyrings fixes from David Howells:

 - Fix request_key() so that it doesn't cache a looked up key on the
   current thread if that thread is a kernel thread.

   The cache is cleared during notify_resume - but that doesn't happen
   in kernel threads. This is causing cifs DNS keys to be
   un-invalidateable.

 - Fix a wrapper check in verify_pefile() to not round up the length.

 - Change asymmetric_keys code to log errors to make it easier for users
   to work out why failures occurred.

* tag 'keys-fixes-20230321' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
  asymmetric_keys: log on fatal failures in PE/pkcs7
  verify_pefile: relax wrapper length check
  keys: Do not cache key in task struct if key is requested from kernel thread
parents 17214b70 3584c1db

crypto/asymmetric_keys/pkcs7_verify.c

+5 −5
Original line number Diff line number Diff line
@@ -79,7 +79,7 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, 
		}



		if (sinfo->msgdigest_len != sig->digest_size) {

			pr_debug("Sig %u: Invalid digest size (%u)\n",

			pr_warn("Sig %u: Invalid digest size (%u)\n",

				sinfo->index, sinfo->msgdigest_len);

			ret = -EBADMSG;

			goto error;
@@ -87,7 +87,7 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, 


		if (memcmp(sig->digest, sinfo->msgdigest,

			   sinfo->msgdigest_len) != 0) {

			pr_debug("Sig %u: Message digest doesn't match\n",

			pr_warn("Sig %u: Message digest doesn't match\n",

				sinfo->index);

			ret = -EKEYREJECTED;

			goto error;
@@ -478,7 +478,7 @@ int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7, 
			       const void *data, size_t datalen)

{

	if (pkcs7->data) {

		pr_debug("Data already supplied\n");

		pr_warn("Data already supplied\n");

		return -EINVAL;

	}

	pkcs7->data = data;

crypto/asymmetric_keys/verify_pefile.c

+18 −14
Original line number Diff line number Diff line
@@ -74,7 +74,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, 
		break;



	default:

		pr_debug("Unknown PEOPT magic = %04hx\n", pe32->magic);

		pr_warn("Unknown PEOPT magic = %04hx\n", pe32->magic);

		return -ELIBBAD;

	}
@@ -95,7 +95,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, 
	ctx->certs_size = ddir->certs.size;



	if (!ddir->certs.virtual_address || !ddir->certs.size) {

		pr_debug("Unsigned PE binary\n");

		pr_warn("Unsigned PE binary\n");

		return -ENODATA;

	}
@@ -127,7 +127,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, 
	unsigned len;



	if (ctx->sig_len < sizeof(wrapper)) {

		pr_debug("Signature wrapper too short\n");

		pr_warn("Signature wrapper too short\n");

		return -ELIBBAD;

	}
@@ -135,19 +135,23 @@ static int pefile_strip_sig_wrapper(const void *pebuf, 
	pr_debug("sig wrapper = { %x, %x, %x }\n",

		 wrapper.length, wrapper.revision, wrapper.cert_type);



	/* Both pesign and sbsign round up the length of certificate table

	 * (in optional header data directories) to 8 byte alignment.

	/* sbsign rounds up the length of certificate table (in optional

	 * header data directories) to 8 byte alignment.  However, the PE

	 * specification states that while entries are 8-byte aligned, this is

	 * not included in their length, and as a result, pesign has not

	 * rounded up since 0.110.

	 */

	if (round_up(wrapper.length, 8) != ctx->sig_len) {

		pr_debug("Signature wrapper len wrong\n");

	if (wrapper.length > ctx->sig_len) {

		pr_warn("Signature wrapper bigger than sig len (%x > %x)\n",

			ctx->sig_len, wrapper.length);

		return -ELIBBAD;

	}

	if (wrapper.revision != WIN_CERT_REVISION_2_0) {

		pr_debug("Signature is not revision 2.0\n");

		pr_warn("Signature is not revision 2.0\n");

		return -ENOTSUPP;

	}

	if (wrapper.cert_type != WIN_CERT_TYPE_PKCS_SIGNED_DATA) {

		pr_debug("Signature certificate type is not PKCS\n");

		pr_warn("Signature certificate type is not PKCS\n");

		return -ENOTSUPP;

	}
@@ -160,7 +164,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, 
	ctx->sig_offset += sizeof(wrapper);

	ctx->sig_len -= sizeof(wrapper);

	if (ctx->sig_len < 4) {

		pr_debug("Signature data missing\n");

		pr_warn("Signature data missing\n");

		return -EKEYREJECTED;

	}
@@ -194,7 +198,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, 
		return 0;

	}

not_pkcs7:

	pr_debug("Signature data not PKCS#7\n");

	pr_warn("Signature data not PKCS#7\n");

	return -ELIBBAD;

}
@@ -337,7 +341,7 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, 
	digest_size = crypto_shash_digestsize(tfm);



	if (digest_size != ctx->digest_len) {

		pr_debug("Digest size mismatch (%zx != %x)\n",

		pr_warn("Digest size mismatch (%zx != %x)\n",

			digest_size, ctx->digest_len);

		ret = -EBADMSG;

		goto error_no_desc;
@@ -369,7 +373,7 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, 
	 * PKCS#7 certificate.

	 */

	if (memcmp(digest, ctx->digest, ctx->digest_len) != 0) {

		pr_debug("Digest mismatch\n");

		pr_warn("Digest mismatch\n");

		ret = -EKEYREJECTED;

	} else {

		pr_debug("The digests match!\n");

security/keys/request_key.c

+6 −3
Original line number Diff line number Diff line
@@ -38,9 +38,12 @@ static void cache_requested_key(struct key *key) 
#ifdef CONFIG_KEYS_REQUEST_CACHE

	struct task_struct *t = current;



	/* Do not cache key if it is a kernel thread */

	if (!(t->flags & PF_KTHREAD)) {

		key_put(t->cached_requested_key);

		t->cached_requested_key = key_get(key);

		set_tsk_thread_flag(t, TIF_NOTIFY_RESUME);

	}

#endif

}