From: James Bottomley <James.Bottomley@HansenPartnership.com> To: David Howells <dhowells@redhat.com> Cc: David Woodhouse <dwmw2@infradead.org>, linux-integrity@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>, Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>, keyrings@vger.kernel.org Subject: Re: [PATCH v2 2/8] lib: add asn.1 encoder Date: Tue, 10 Dec 2019 18:53:40 +0000 [thread overview] Message-ID: <1576004020.3647.13.camel@HansenPartnership.com> (raw) In-Reply-To: <10037.1575986929@warthog.procyon.org.uk> On Tue, 2019-12-10 at 14:08 +0000, David Howells wrote: > James Bottomley <James.Bottomley@HansenPartnership.com> wrote: > > > > Didn't you say you were going to make it return an error when it > > > ran out of space or was asked to encode a negative number? > > > > it follows the pattern of all the other functions in that it dumps > > a kernel warning on problems and bails. > > I don't see any bounds checking there, let alone anything that dumps > a kernel warning and bails It's in the if (WARN part of asn1_encode_integer. > - except if the length is so large that the ASN.1 cannot be > constructed. That said, there is a check in patch 4. However, I think you'd like both a length and a buffer length to each function to cope with definite length encoding overflows? I can do that. > > ... as long as the buffer doesn't overflow. > > Yes, but that's Dave's point. > > [from patch 4] > > > + * Assume both ovtet strings will encode to a 2 byte > > definite length > > octet, btw. Heh, yes, noticed that mere seconds after I pressed send ... > At least I've found a preliminary bounds check there > > > + */ > > + if (WARN(work - scratch + pub_len + priv_len + 8 > > > SCRATCH_SIZE, > > + "BUG: scratch buffer is too small")) > > + return -EINVAL; > > which I presume makes the correct calculation. > > I thought TPM comms were slow - slow enough that putting bounds > checking in your asn1_encode_* routines will be insignificant. Yes, I'm not bothered about timings. I can add bounds checking on the buffer length like the integer case. For the other routines, I'll make it decrement the data length in place as it increments the data pointer > Further, you're promoting this ASN.1 encoder as a general library > within the kernel, presumably so that other people can make use of > it. Well, I did notice the TPM 1.2 asymmetric key code rolled its own ASN.1 encoding, yes. > Please therefore put bounds checking and error handling in it. And > please *don't* just produce broken ASN.1 when something goes wrong. OK, I'll make it return an error and add a wrapper for my use case that warns on error and causes the function to bail. James
WARNING: multiple messages have this Message-ID (diff)
From: James Bottomley <James.Bottomley@HansenPartnership.com> To: David Howells <dhowells@redhat.com> Cc: David Woodhouse <dwmw2@infradead.org>, linux-integrity@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>, Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>, keyrings@vger.kernel.org Subject: Re: [PATCH v2 2/8] lib: add asn.1 encoder Date: Tue, 10 Dec 2019 10:53:40 -0800 [thread overview] Message-ID: <1576004020.3647.13.camel@HansenPartnership.com> (raw) In-Reply-To: <10037.1575986929@warthog.procyon.org.uk> On Tue, 2019-12-10 at 14:08 +0000, David Howells wrote: > James Bottomley <James.Bottomley@HansenPartnership.com> wrote: > > > > Didn't you say you were going to make it return an error when it > > > ran out of space or was asked to encode a negative number? > > > > it follows the pattern of all the other functions in that it dumps > > a kernel warning on problems and bails. > > I don't see any bounds checking there, let alone anything that dumps > a kernel warning and bails It's in the if (WARN part of asn1_encode_integer. > - except if the length is so large that the ASN.1 cannot be > constructed. That said, there is a check in patch 4. However, I think you'd like both a length and a buffer length to each function to cope with definite length encoding overflows? I can do that. > > ... as long as the buffer doesn't overflow. > > Yes, but that's Dave's point. > > [from patch 4] > > > + * Assume both ovtet strings will encode to a 2 byte > > definite length > > octet, btw. Heh, yes, noticed that mere seconds after I pressed send ... > At least I've found a preliminary bounds check there > > > + */ > > + if (WARN(work - scratch + pub_len + priv_len + 8 > > > SCRATCH_SIZE, > > + "BUG: scratch buffer is too small")) > > + return -EINVAL; > > which I presume makes the correct calculation. > > I thought TPM comms were slow - slow enough that putting bounds > checking in your asn1_encode_* routines will be insignificant. Yes, I'm not bothered about timings. I can add bounds checking on the buffer length like the integer case. For the other routines, I'll make it decrement the data length in place as it increments the data pointer > Further, you're promoting this ASN.1 encoder as a general library > within the kernel, presumably so that other people can make use of > it. Well, I did notice the TPM 1.2 asymmetric key code rolled its own ASN.1 encoding, yes. > Please therefore put bounds checking and error handling in it. And > please *don't* just produce broken ASN.1 when something goes wrong. OK, I'll make it return an error and add a wrapper for my use case that warns on error and causes the function to bail. James
next prev parent reply other threads:[~2019-12-10 18:53 UTC|newest] Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-12-10 0:04 [PATCH v2 0/8] Fix TPM 2.0 trusted keys James Bottomley 2019-12-10 0:04 ` James Bottomley 2019-12-10 0:05 ` [PATCH v2 1/8] security: keys: trusted: flush the key handle after use James Bottomley 2019-12-10 0:05 ` James Bottomley 2019-12-10 0:06 ` [PATCH v2 2/8] lib: add asn.1 encoder James Bottomley 2019-12-10 0:06 ` James Bottomley 2019-12-10 8:18 ` David Woodhouse 2019-12-10 13:20 ` James Bottomley 2019-12-10 13:20 ` James Bottomley 2019-12-10 14:08 ` David Howells 2019-12-10 18:53 ` James Bottomley [this message] 2019-12-10 18:53 ` James Bottomley 2019-12-10 22:37 ` David Woodhouse 2019-12-11 13:02 ` James Bottomley 2019-12-11 13:02 ` James Bottomley 2019-12-18 10:50 ` David Howells 2019-12-18 23:10 ` James Bottomley 2019-12-18 23:10 ` James Bottomley 2019-12-20 16:06 ` James Bottomley 2019-12-20 16:06 ` James Bottomley 2019-12-10 0:06 ` [PATCH v2 3/8] oid_registry: Add TCG defined OIDS for TPM keys James Bottomley 2019-12-10 0:06 ` James Bottomley 2019-12-10 8:18 ` David Woodhouse 2019-12-10 13:22 ` James Bottomley 2019-12-10 13:22 ` James Bottomley 2019-12-10 0:07 ` [PATCH v2 4/8] security: keys: trusted: use ASN.1 tpm2 key format for the blobs James Bottomley 2019-12-10 0:07 ` James Bottomley 2019-12-10 0:08 ` [PATCH v2 5/8] security: keys: trusted: Make sealed key properly interoperable James Bottomley 2019-12-10 0:08 ` James Bottomley 2019-12-10 0:08 ` [PATCH v2 6/8] security: keys: trusted: add PCR policy to TPM2 keys James Bottomley 2019-12-10 0:08 ` James Bottomley 2019-12-10 0:09 ` [PATCH v2 7/8] security: keys: trusted: add ability to specify arbitrary policy James Bottomley 2019-12-10 0:09 ` James Bottomley 2019-12-10 0:10 ` [PATCH v2 8/8] security: keys: trusted: implement counter/timer policy James Bottomley 2019-12-10 0:10 ` James Bottomley 2019-12-11 17:59 ` [PATCH v2 0/8] Fix TPM 2.0 trusted keys Jarkko Sakkinen 2019-12-11 17:59 ` Jarkko Sakkinen 2019-12-14 20:37 ` James Bottomley 2019-12-14 20:37 ` James Bottomley
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1576004020.3647.13.camel@HansenPartnership.com \ --to=james.bottomley@hansenpartnership.com \ --cc=dhowells@redhat.com \ --cc=dwmw2@infradead.org \ --cc=jarkko.sakkinen@linux.intel.com \ --cc=keyrings@vger.kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=zohar@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.