Releases: robertosassu/linux
Releases · robertosassu/linux
public-key-sig-digest-copy-v2-test
KEYS: asymmetric: Copy sig and digest in public_key_verify_signature()
Commit ac4e97abce9b8 ("scatterlist: sg_set_buf() argument must be in linear
mapping") checks that both the signature and the digest reside in the
linear mapping area.
However, more recently commit ba14a194a434c ("fork: Add generic vmalloced
stack support"), made it possible to move the stack in the vmalloc area,
which is not contiguous, and thus not suitable for sg_set_buf() which needs
adjacent pages.
Always make a copy of the signature and digest in the same buffer used to
store the key and its parameters, and pass them to sg_set_buf(). Prefer it
to conditionally doing the copy if necessary, to keep the code simple. The
buffer allocated with kmalloc() is in the linear mapping area.
Cc: stable@vger.kernel.org # 4.9.x
Fixes: ba14a194a434 ("fork: Add generic vmalloced stack support")
Link: https://lore.kernel.org/linux-integrity/Y4pIpxbjBdajymBJ@sol.localdomain/
Suggested-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
ima-digsig-asym-v3-test
KEYS: asymmetric: Make a copy of sig and digest in vmalloced stack
Commit ac4e97abce9b8 ("scatterlist: sg_set_buf() argument must be in linear
mapping") checks that both the signature and the digest reside in the
linear mapping area.
However, more recently commit ba14a194a434c ("fork: Add generic vmalloced
stack support"), made it possible to move the stack in the vmalloc area,
which is not contiguous, and thus not suitable for sg_set_buf() which needs
adjacent pages.
Check if the signature and digest passed to public_key_verify_signature()
are in the linear mapping area and, for those which are not, make a copy in
the linear mapping area with kmalloc() and adjust the pointer passed to
sg_set_buf(). Reuse the existing kmalloc() and increase the allocation size
as needed.
Minimize the number of copies with the compile-time check of
CONFIG_VMAP_STACK and with the run-time check virt_addr_valid().
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
ima-digsig-asym-v3-devel-v2-test
KEYS: asymmetric: Make a copy of sig and digest in vmalloced stack
Commit ac4e97abce9b8 ("scatterlist: sg_set_buf() argument must be in linear
mapping") checks that both the signature and the digest reside in the
linear mapping area.
However, more recently commit ba14a194a434c ("fork: Add generic vmalloced
stack support"), made it possible to move the stack in the vmalloc area,
which is not contiguous, and thus not suitable for sg_set_buf() which needs
adjacent pages.
Check if the signature and digest passed to public_key_verify_signature()
are in the linear mapping area and, for those which are not, make a copy in
the linear mapping area with kmalloc() and adjust the pointer passed to
sg_set_buf(). Reuse the existing kmalloc() and increase the allocation size
as needed.
Minimize the number of copies with the compile-time check of
CONFIG_VMAP_STACK and with the run-time check virt_addr_valid().
Cc: stable@vger.kernel.org # 4.9.x
Fixes: ba14a194a434 ("fork: Add generic vmalloced stack support")
Link: https://lore.kernel.org/linux-integrity/Y4pIpxbjBdajymBJ@sol.localdomain/
Suggested-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
ima-digsig-asym-v2-devel-v2-test
ima: Alloc ima_max_digest_data in xattr_verify() if CONFIG_VMAP_STACK=y
Similarly to evm_verify_hmac(), which allocates an evm_digest structure to
satisfy the linear mapping requirement if CONFIG_VMAP_STACK is enabled, do
the same in xattr_verify(). Allocate an ima_max_digest_data structure and
use that instead of the in-stack counterpart.
Cc: stable@vger.kernel.org # 4.9.x
Fixes: ba14a194a434 ("fork: Add generic vmalloced stack support")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
ima-digsig-asym-v2-test
ima: Make a copy of digest in xattr_verify() for IMA verity signatures
Similarly to evm_verify_hmac(), which allocates an evm_digest structure to
satisfy the linear mapping requirement if CONFIG_VMAP_STACK is enabled, do
the same in xattr_verify(). Allocate an ima_max_digest_data structure and
use that instead of the in-stack counterpart.
Cc: stable@vger.kernel.org # 4.9.x
Fixes: ba14a194a434 ("fork: Add generic vmalloced stack support")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
ima-evm-lsms-v1-devel-v9-test
integrity: Switch from rbtree to LSM-managed blob for integrity_iint_…
evm-multiple-lsms-v5-devel-v3-test
security: Add TestLSM This patch adds a simple LSM to test HMAC calculation at file creation. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
evm-multiple-lsms-v5-devel-v2-test
security: Add TestLSM This patch adds a simple LSM to test HMAC calculation at file creation. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
ima-evm-lsms-v1-devel-v8-test
integrity: Switch from rbtree to LSM-managed blob for integrity_iint_…
evm-multiple-lsms-v4-devel-v10-test
security: Add TestLSM This patch adds a simple LSM to test HMAC calculation at file creation. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>