All of lore.kernel.org
 help / color / mirror / Atom feed
From: David Howells <dhowells@redhat.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: "Mickaël Salaün" <mic@linux.microsoft.com>,
	"David Woodhouse" <dwmw2@infradead.org>,
	dhowells@redhat.com, keyrings@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 15/18] certs: Fix blacklisted hexadecimal hash string check
Date: Wed, 09 Dec 2020 12:16:21 +0000	[thread overview]
Message-ID: <160751618139.1238376.15173994145507633358.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <160751606428.1238376.14935502103503420781.stgit@warthog.procyon.org.uk>

From: Mickaël Salaün <mic@linux.microsoft.com>

When looking for a blacklisted hash, bin2hex() is used to transform a
binary hash to an ascii (lowercase) hexadecimal string.  This string is
then search for in the description of the keys from the blacklist
keyring.  When adding a key to the blacklist keyring,
blacklist_vet_description() checks the hash prefix and the hexadecimal
string, but not that this string is lowercase.  It is then valid to set
hashes with uppercase hexadecimal, which will be silently ignored by the
kernel.

Add an additional check to blacklist_vet_description() to check that
hexadecimal strings are in lowercase.

Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
---

 certs/blacklist.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/certs/blacklist.c b/certs/blacklist.c
index 2719fb2fbc1c..a888b934a1cd 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -37,7 +37,7 @@ static int blacklist_vet_description(const char *desc)
 found_colon:
 	desc++;
 	for (; *desc; desc++) {
-		if (!isxdigit(*desc))
+		if (!isxdigit(*desc) || isupper(*desc))
 			return -EINVAL;
 		n++;
 	}



  parent reply	other threads:[~2020-12-09 12:19 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-09 12:14 [PATCH 00/18] keys: Miscellaneous fixes David Howells
2020-12-09 12:14 ` [PATCH 01/18] security: keys: Fix fall-through warnings for Clang David Howells
2020-12-09 12:14 ` [PATCH 02/18] keys: Remove outdated __user annotations David Howells
2020-12-09 12:14 ` [PATCH 03/18] watch_queue: Drop references to /dev/watch_queue David Howells
2020-12-09 12:14 ` [PATCH 04/18] security/keys: use kvfree_sensitive() David Howells
2020-12-09 12:15 ` [PATCH 05/18] KEYS: asymmetric: Fix kerneldoc David Howells
2020-12-09 12:15 ` [PATCH 06/18] security: keys: delete repeated words in comments David Howells
2020-12-09 12:15 ` [PATCH 07/18] KEYS: remove redundant memset David Howells
2020-12-09 19:07   ` Ben Boeckel
2020-12-10  9:21   ` David Howells
2020-12-09 12:15 ` [PATCH 08/18] crypto: asymmetric_keys: fix some comments in pkcs7_parser.h David Howells
2020-12-09 12:15 ` [PATCH 09/18] encrypted-keys: Replace HTTP links with HTTPS ones David Howells
2020-12-09 12:15 ` [PATCH 10/18] PKCS#7: drop function from kernel-doc pkcs7_validate_trust_one David Howells
2020-12-09 12:15 ` [PATCH 11/18] crypto: pkcs7: Use match_string() helper to simplify the code David Howells
2020-12-09 12:15 ` [PATCH 12/18] keys: remove trailing semicolon in macro definition David Howells
2020-12-09 12:16 ` [PATCH 13/18] crypto: public_key: Remove redundant header file from public_key.h David Howells
2020-12-09 12:16 ` [PATCH 14/18] certs/blacklist: fix kernel doc interface issue David Howells
2020-12-09 12:16 ` David Howells [this message]
2020-12-09 12:16 ` [PATCH 16/18] PKCS#7: Fix missing include David Howells
2020-12-09 12:16 ` [PATCH 17/18] certs: Fix blacklist flag type confusion David Howells
2020-12-09 12:16 ` [PATCH 18/18] certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID David Howells
2020-12-09 19:12 ` [PATCH 00/18] keys: Miscellaneous fixes Ben Boeckel
2020-12-10  9:30 ` David Howells
2020-12-11  8:17 ` Jarkko Sakkinen
2020-12-11 10:51 ` Jarkko Sakkinen
2020-12-11 10:56   ` Jarkko Sakkinen
2021-02-18 16:24 ` [PATCH 17/18] certs: Fix blacklist flag type confusion David Howells
2021-02-18 19:30   ` Mickaël Salaün
2021-02-18 22:55   ` David Howells
2021-02-19  9:43     ` Mickaël Salaün
2021-02-19  9:31   ` Jarkko Sakkinen
2021-02-19  9:45   ` David Howells
2021-02-19  9:50     ` Mickaël Salaün

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=160751618139.1238376.15173994145507633358.stgit@warthog.procyon.org.uk \
    --to=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=jarkko.sakkinen@linux.intel.com \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mic@linux.microsoft.com \
    --subject='Re: [PATCH 15/18] certs: Fix blacklisted hexadecimal hash string check' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.