From: David Howells <dhowells@redhat.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: "Mickaël Salaün" <mic@linux.microsoft.com>,
"David Woodhouse" <dwmw2@infradead.org>,
dhowells@redhat.com, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 15/18] certs: Fix blacklisted hexadecimal hash string check
Date: Wed, 09 Dec 2020 12:16:21 +0000 [thread overview]
Message-ID: <160751618139.1238376.15173994145507633358.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <160751606428.1238376.14935502103503420781.stgit@warthog.procyon.org.uk>
From: Mickaël Salaün <mic@linux.microsoft.com>
When looking for a blacklisted hash, bin2hex() is used to transform a
binary hash to an ascii (lowercase) hexadecimal string. This string is
then search for in the description of the keys from the blacklist
keyring. When adding a key to the blacklist keyring,
blacklist_vet_description() checks the hash prefix and the hexadecimal
string, but not that this string is lowercase. It is then valid to set
hashes with uppercase hexadecimal, which will be silently ignored by the
kernel.
Add an additional check to blacklist_vet_description() to check that
hexadecimal strings are in lowercase.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
---
certs/blacklist.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/certs/blacklist.c b/certs/blacklist.c
index 2719fb2fbc1c..a888b934a1cd 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -37,7 +37,7 @@ static int blacklist_vet_description(const char *desc)
found_colon:
desc++;
for (; *desc; desc++) {
- if (!isxdigit(*desc))
+ if (!isxdigit(*desc) || isupper(*desc))
return -EINVAL;
n++;
}
next prev parent reply other threads:[~2020-12-09 12:19 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-09 12:14 [PATCH 00/18] keys: Miscellaneous fixes David Howells
2020-12-09 12:14 ` [PATCH 01/18] security: keys: Fix fall-through warnings for Clang David Howells
2020-12-09 12:14 ` [PATCH 02/18] keys: Remove outdated __user annotations David Howells
2020-12-09 12:14 ` [PATCH 03/18] watch_queue: Drop references to /dev/watch_queue David Howells
2020-12-09 12:14 ` [PATCH 04/18] security/keys: use kvfree_sensitive() David Howells
2020-12-09 12:15 ` [PATCH 05/18] KEYS: asymmetric: Fix kerneldoc David Howells
2020-12-09 12:15 ` [PATCH 06/18] security: keys: delete repeated words in comments David Howells
2020-12-09 12:15 ` [PATCH 07/18] KEYS: remove redundant memset David Howells
2020-12-09 19:07 ` Ben Boeckel
2020-12-10 9:21 ` David Howells
2020-12-09 12:15 ` [PATCH 08/18] crypto: asymmetric_keys: fix some comments in pkcs7_parser.h David Howells
2020-12-09 12:15 ` [PATCH 09/18] encrypted-keys: Replace HTTP links with HTTPS ones David Howells
2020-12-09 12:15 ` [PATCH 10/18] PKCS#7: drop function from kernel-doc pkcs7_validate_trust_one David Howells
2020-12-09 12:15 ` [PATCH 11/18] crypto: pkcs7: Use match_string() helper to simplify the code David Howells
2020-12-09 12:15 ` [PATCH 12/18] keys: remove trailing semicolon in macro definition David Howells
2020-12-09 12:16 ` [PATCH 13/18] crypto: public_key: Remove redundant header file from public_key.h David Howells
2020-12-09 12:16 ` [PATCH 14/18] certs/blacklist: fix kernel doc interface issue David Howells
2020-12-09 12:16 ` David Howells [this message]
2020-12-09 12:16 ` [PATCH 16/18] PKCS#7: Fix missing include David Howells
2020-12-09 12:16 ` [PATCH 17/18] certs: Fix blacklist flag type confusion David Howells
2020-12-09 12:16 ` [PATCH 18/18] certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID David Howells
2020-12-09 19:12 ` [PATCH 00/18] keys: Miscellaneous fixes Ben Boeckel
2020-12-10 9:30 ` David Howells
2020-12-11 8:17 ` Jarkko Sakkinen
2020-12-11 10:51 ` Jarkko Sakkinen
2020-12-11 10:56 ` Jarkko Sakkinen
2021-02-18 16:24 ` [PATCH 17/18] certs: Fix blacklist flag type confusion David Howells
2021-02-18 19:30 ` Mickaël Salaün
2021-02-18 22:55 ` David Howells
2021-02-19 9:43 ` Mickaël Salaün
2021-02-19 9:31 ` Jarkko Sakkinen
2021-02-19 9:45 ` David Howells
2021-02-19 9:50 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=160751618139.1238376.15173994145507633358.stgit@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mic@linux.microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.