From: Mimi Zohar <zohar@linux.ibm.com>
To: Eric Biggers <ebiggers@kernel.org>,
Roberto Sassu <roberto.sassu@huaweicloud.com>
Cc: dmitry.kasatkin@gmail.com, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
Roberto Sassu <roberto.sassu@huawei.com>,
stable@vger.kernel.org
Subject: Re: [PATCH v2 1/2] evm: Alloc evm_digest in evm_verify_hmac() if CONFIG_VMAP_STACK=y
Date: Thu, 01 Dec 2022 14:08:58 -0500 [thread overview]
Message-ID: <66d9f3dbfddc5d73e73fa0c6152d70ff1739427a.camel@linux.ibm.com> (raw)
In-Reply-To: <Y4j4MJzizgEHf4nv@sol.localdomain>
On Thu, 2022-12-01 at 10:53 -0800, Eric Biggers wrote:
> On Thu, Dec 01, 2022 at 11:06:24AM +0100, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
> >
> > Commit ac4e97abce9b8 ("scatterlist: sg_set_buf() argument must be in linear
> > mapping") checks that both the signature and the digest reside in the
> > linear mapping area.
> >
> > However, more recently commit ba14a194a434c ("fork: Add generic vmalloced
> > stack support"), made it possible to move the stack in the vmalloc area,
> > which is not contiguous, and thus not suitable for sg_set_buf() which needs
> > adjacent pages.
> >
> > Fix this by checking if CONFIG_VMAP_STACK is enabled. If yes, allocate an
> > evm_digest structure, and use that instead of the in-stack cbounterpart.
> >
> > Cc: stable@vger.kernel.org # 4.9.x
> > Fixes: ba14a194a434 ("fork: Add generic vmalloced stack support")
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > ---
> > security/integrity/evm/evm_main.c | 26 +++++++++++++++++++++-----
> > 1 file changed, 21 insertions(+), 5 deletions(-)
> >
> > diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> > index 23d484e05e6f..7f76d6103f2e 100644
> > --- a/security/integrity/evm/evm_main.c
> > +++ b/security/integrity/evm/evm_main.c
> > @@ -174,6 +174,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
> > struct signature_v2_hdr *hdr;
> > enum integrity_status evm_status = INTEGRITY_PASS;
> > struct evm_digest digest;
> > + struct evm_digest *digest_ptr = &digest;
> > struct inode *inode;
> > int rc, xattr_len, evm_immutable = 0;
> >
> > @@ -231,14 +232,26 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
> > }
> >
> > hdr = (struct signature_v2_hdr *)xattr_data;
> > - digest.hdr.algo = hdr->hash_algo;
> > +
> > + if (IS_ENABLED(CONFIG_VMAP_STACK)) {
> > + digest_ptr = kmalloc(sizeof(*digest_ptr), GFP_NOFS);
> > + if (!digest_ptr) {
> > + rc = -ENOMEM;
> > + break;
> > + }
> > + }
> > +
> > + digest_ptr->hdr.algo = hdr->hash_algo;
> > +
> > rc = evm_calc_hash(dentry, xattr_name, xattr_value,
> > - xattr_value_len, xattr_data->type, &digest);
> > + xattr_value_len, xattr_data->type,
> > + digest_ptr);
> > if (rc)
> > break;
> > rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
> > (const char *)xattr_data, xattr_len,
> > - digest.digest, digest.hdr.length);
> > + digest_ptr->digest,
> > + digest_ptr->hdr.length);
> > if (!rc) {
> > inode = d_backing_inode(dentry);
> >
> > @@ -268,8 +281,11 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
> > else
> > evm_status = INTEGRITY_FAIL;
> > }
> > - pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length, digest.hdr.length,
> > - digest.digest);
> > + pr_debug("digest: (%d) [%*phN]\n", digest_ptr->hdr.length,
> > + digest_ptr->hdr.length, digest_ptr->digest);
> > +
> > + if (digest_ptr && digest_ptr != &digest)
> > + kfree(digest_ptr);
>
> What is the actual problem here? Where is a scatterlist being created from this
> buffer? AFAICS it never happens.
Enabling CONFIG_VMAP_STACK is the culprit, which triggers the BUG_ON
only when CONFIG_DEBUG_SG is enabled as well.
Refer to commit ba14a194a434 ("fork: Add generic vmalloced stack
support").
--
thanks,
Mimi
next prev parent reply other threads:[~2022-12-01 19:09 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-01 10:06 [PATCH v2 0/2] ima/evm: Ensure digest to verify is in linear mapping area Roberto Sassu
2022-12-01 10:06 ` [PATCH v2 1/2] evm: Alloc evm_digest in evm_verify_hmac() if CONFIG_VMAP_STACK=y Roberto Sassu
2022-12-01 18:53 ` Eric Biggers
2022-12-01 19:08 ` Mimi Zohar [this message]
2022-12-01 19:12 ` Eric Biggers
2022-12-02 7:58 ` Roberto Sassu
2022-12-02 18:49 ` Eric Biggers
2022-12-05 8:22 ` Roberto Sassu
2022-12-08 1:26 ` Mimi Zohar
2022-12-08 8:32 ` Roberto Sassu
2022-12-01 10:06 ` [PATCH v2 2/2] ima: Alloc ima_max_digest_data in xattr_verify() " Roberto Sassu
2022-12-01 18:55 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=66d9f3dbfddc5d73e73fa0c6152d70ff1739427a.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiggers@kernel.org \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=roberto.sassu@huaweicloud.com \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.