From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>,
linux-integrity@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
keyrings@vger.kernel.org
Subject: Re: [PATCH v2 2/8] lib: add asn.1 encoder
Date: Tue, 10 Dec 2019 18:53:40 +0000 [thread overview]
Message-ID: <1576004020.3647.13.camel@HansenPartnership.com> (raw)
In-Reply-To: <10037.1575986929@warthog.procyon.org.uk>
On Tue, 2019-12-10 at 14:08 +0000, David Howells wrote:
> James Bottomley <James.Bottomley@HansenPartnership.com> wrote:
>
> > > Didn't you say you were going to make it return an error when it
> > > ran out of space or was asked to encode a negative number?
> >
> > it follows the pattern of all the other functions in that it dumps
> > a kernel warning on problems and bails.
>
> I don't see any bounds checking there, let alone anything that dumps
> a kernel warning and bails
It's in the if (WARN part of asn1_encode_integer.
> - except if the length is so large that the ASN.1 cannot be
> constructed. That said, there is a check in patch 4.
However, I think you'd like both a length and a buffer length to each
function to cope with definite length encoding overflows? I can do
that.
> > ... as long as the buffer doesn't overflow.
>
> Yes, but that's Dave's point.
>
> [from patch 4]
>
> > + * Assume both ovtet strings will encode to a 2 byte
> > definite length
>
> octet, btw.
Heh, yes, noticed that mere seconds after I pressed send ...
> At least I've found a preliminary bounds check there
>
> > + */
> > + if (WARN(work - scratch + pub_len + priv_len + 8 >
> > SCRATCH_SIZE,
> > + "BUG: scratch buffer is too small"))
> > + return -EINVAL;
>
> which I presume makes the correct calculation.
>
> I thought TPM comms were slow - slow enough that putting bounds
> checking in your asn1_encode_* routines will be insignificant.
Yes, I'm not bothered about timings. I can add bounds checking on the
buffer length like the integer case. For the other routines, I'll make
it decrement the data length in place as it increments the data pointer
> Further, you're promoting this ASN.1 encoder as a general library
> within the kernel, presumably so that other people can make use of
> it.
Well, I did notice the TPM 1.2 asymmetric key code rolled its own ASN.1
encoding, yes.
> Please therefore put bounds checking and error handling in it. And
> please *don't* just produce broken ASN.1 when something goes wrong.
OK, I'll make it return an error and add a wrapper for my use case that
warns on error and causes the function to bail.
James
WARNING: multiple messages have this Message-ID (diff)
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>,
linux-integrity@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
keyrings@vger.kernel.org
Subject: Re: [PATCH v2 2/8] lib: add asn.1 encoder
Date: Tue, 10 Dec 2019 10:53:40 -0800 [thread overview]
Message-ID: <1576004020.3647.13.camel@HansenPartnership.com> (raw)
In-Reply-To: <10037.1575986929@warthog.procyon.org.uk>
On Tue, 2019-12-10 at 14:08 +0000, David Howells wrote:
> James Bottomley <James.Bottomley@HansenPartnership.com> wrote:
>
> > > Didn't you say you were going to make it return an error when it
> > > ran out of space or was asked to encode a negative number?
> >
> > it follows the pattern of all the other functions in that it dumps
> > a kernel warning on problems and bails.
>
> I don't see any bounds checking there, let alone anything that dumps
> a kernel warning and bails
It's in the if (WARN part of asn1_encode_integer.
> - except if the length is so large that the ASN.1 cannot be
> constructed. That said, there is a check in patch 4.
However, I think you'd like both a length and a buffer length to each
function to cope with definite length encoding overflows? I can do
that.
> > ... as long as the buffer doesn't overflow.
>
> Yes, but that's Dave's point.
>
> [from patch 4]
>
> > + * Assume both ovtet strings will encode to a 2 byte
> > definite length
>
> octet, btw.
Heh, yes, noticed that mere seconds after I pressed send ...
> At least I've found a preliminary bounds check there
>
> > + */
> > + if (WARN(work - scratch + pub_len + priv_len + 8 >
> > SCRATCH_SIZE,
> > + "BUG: scratch buffer is too small"))
> > + return -EINVAL;
>
> which I presume makes the correct calculation.
>
> I thought TPM comms were slow - slow enough that putting bounds
> checking in your asn1_encode_* routines will be insignificant.
Yes, I'm not bothered about timings. I can add bounds checking on the
buffer length like the integer case. For the other routines, I'll make
it decrement the data length in place as it increments the data pointer
> Further, you're promoting this ASN.1 encoder as a general library
> within the kernel, presumably so that other people can make use of
> it.
Well, I did notice the TPM 1.2 asymmetric key code rolled its own ASN.1
encoding, yes.
> Please therefore put bounds checking and error handling in it. And
> please *don't* just produce broken ASN.1 when something goes wrong.
OK, I'll make it return an error and add a wrapper for my use case that
warns on error and causes the function to bail.
James
next prev parent reply other threads:[~2019-12-10 18:53 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-10 0:04 [PATCH v2 0/8] Fix TPM 2.0 trusted keys James Bottomley
2019-12-10 0:04 ` James Bottomley
2019-12-10 0:05 ` [PATCH v2 1/8] security: keys: trusted: flush the key handle after use James Bottomley
2019-12-10 0:05 ` James Bottomley
2019-12-10 0:06 ` [PATCH v2 2/8] lib: add asn.1 encoder James Bottomley
2019-12-10 0:06 ` James Bottomley
2019-12-10 8:18 ` David Woodhouse
2019-12-10 13:20 ` James Bottomley
2019-12-10 13:20 ` James Bottomley
2019-12-10 14:08 ` David Howells
2019-12-10 18:53 ` James Bottomley [this message]
2019-12-10 18:53 ` James Bottomley
2019-12-10 22:37 ` David Woodhouse
2019-12-11 13:02 ` James Bottomley
2019-12-11 13:02 ` James Bottomley
2019-12-18 10:50 ` David Howells
2019-12-18 23:10 ` James Bottomley
2019-12-18 23:10 ` James Bottomley
2019-12-20 16:06 ` James Bottomley
2019-12-20 16:06 ` James Bottomley
2019-12-10 0:06 ` [PATCH v2 3/8] oid_registry: Add TCG defined OIDS for TPM keys James Bottomley
2019-12-10 0:06 ` James Bottomley
2019-12-10 8:18 ` David Woodhouse
2019-12-10 13:22 ` James Bottomley
2019-12-10 13:22 ` James Bottomley
2019-12-10 0:07 ` [PATCH v2 4/8] security: keys: trusted: use ASN.1 tpm2 key format for the blobs James Bottomley
2019-12-10 0:07 ` James Bottomley
2019-12-10 0:08 ` [PATCH v2 5/8] security: keys: trusted: Make sealed key properly interoperable James Bottomley
2019-12-10 0:08 ` James Bottomley
2019-12-10 0:08 ` [PATCH v2 6/8] security: keys: trusted: add PCR policy to TPM2 keys James Bottomley
2019-12-10 0:08 ` James Bottomley
2019-12-10 0:09 ` [PATCH v2 7/8] security: keys: trusted: add ability to specify arbitrary policy James Bottomley
2019-12-10 0:09 ` James Bottomley
2019-12-10 0:10 ` [PATCH v2 8/8] security: keys: trusted: implement counter/timer policy James Bottomley
2019-12-10 0:10 ` James Bottomley
2019-12-11 17:59 ` [PATCH v2 0/8] Fix TPM 2.0 trusted keys Jarkko Sakkinen
2019-12-11 17:59 ` Jarkko Sakkinen
2019-12-14 20:37 ` James Bottomley
2019-12-14 20:37 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1576004020.3647.13.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.