Re: [PATCH v2 1/2] evm: Alloc evm_digest in evm_verify_hmac() if CONFIG_VMAP_STACK=y

From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: Mimi Zohar <zohar@linux.ibm.com>, Eric Biggers <ebiggers@kernel.org>
Cc: dmitry.kasatkin@gmail.com, paul@paul-moore.com,
	jmorris@namei.org, serge@hallyn.com,
	linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Roberto Sassu <roberto.sassu@huawei.com>,
	stable@vger.kernel.org
Subject: Re: [PATCH v2 1/2] evm: Alloc evm_digest in evm_verify_hmac() if CONFIG_VMAP_STACK=y
Date: Thu, 08 Dec 2022 09:32:33 +0100	[thread overview]
Message-ID: <971b28db46dfb4437080b18ba042b290abaf960f.camel@huaweicloud.com> (raw)
In-Reply-To: <b3d0cfa7f5391968ce332977eb602305cd57e891.camel@linux.ibm.com>

On Wed, 2022-12-07 at 20:26 -0500, Mimi Zohar wrote:
> On Mon, 2022-12-05 at 09:22 +0100, Roberto Sassu wrote:
> > On Fri, 2022-12-02 at 10:49 -0800, Eric Biggers wrote:
> > > On Fri, Dec 02, 2022 at 08:58:21AM +0100, Roberto Sassu wrote:
> > > > On Thu, 2022-12-01 at 10:53 -0800, Eric Biggers wrote:
> > > > > On Thu, Dec 01, 2022 at 11:06:24AM +0100, Roberto Sassu wrote:
> > > > > > From: Roberto Sassu <roberto.sassu@huawei.com>
> > > > > > 
> > > > > > Commit ac4e97abce9b8 ("scatterlist: sg_set_buf() argument must be in linear
> > > > > > mapping") checks that both the signature and the digest reside in the
> > > > > > linear mapping area.
> > > > > > 
> > > > > > However, more recently commit ba14a194a434c ("fork: Add generic vmalloced
> > > > > > stack support"), made it possible to move the stack in the vmalloc area,
> > > > > > which is not contiguous, and thus not suitable for sg_set_buf() which needs
> > > > > > adjacent pages.
> > > > > > 
> > > > > > Fix this by checking if CONFIG_VMAP_STACK is enabled. If yes, allocate an
> > > > > > evm_digest structure, and use that instead of the in-stack counterpart.
> > > > > > 
> > > > > > Cc: stable@vger.kernel.org # 4.9.x
> > > > > > Fixes: ba14a194a434 ("fork: Add generic vmalloced stack support")
> > > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > > > > > ---
> > > > > >  security/integrity/evm/evm_main.c | 26 +++++++++++++++++++++-----
> > > > > >  1 file changed, 21 insertions(+), 5 deletions(-)
> > > > > > 
> > > > > > diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> > > > > > index 23d484e05e6f..7f76d6103f2e 100644
> > > > > > --- a/security/integrity/evm/evm_main.c
> > > > > > +++ b/security/integrity/evm/evm_main.c
> > > > > > @@ -174,6 +174,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
> > > > > >  	struct signature_v2_hdr *hdr;
> > > > > >  	enum integrity_status evm_status = INTEGRITY_PASS;
> > > > > >  	struct evm_digest digest;
> > > > > > +	struct evm_digest *digest_ptr = &digest;
> > > > > >  	struct inode *inode;
> > > > > >  	int rc, xattr_len, evm_immutable = 0;
> > > > > >  
> > > > > > @@ -231,14 +232,26 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
> > > > > >  		}
> > > > > >  
> > > > > >  		hdr = (struct signature_v2_hdr *)xattr_data;
> > > > > > -		digest.hdr.algo = hdr->hash_algo;
> > > > > > +
> > > > > > +		if (IS_ENABLED(CONFIG_VMAP_STACK)) {
> > > > > > +			digest_ptr = kmalloc(sizeof(*digest_ptr), GFP_NOFS);
> > > > > > +			if (!digest_ptr) {
> > > > > > +				rc = -ENOMEM;
> > > > > > +				break;
> > > > > > +			}
> > > > > > +		}
> > > > > > +
> > > > > > +		digest_ptr->hdr.algo = hdr->hash_algo;
> > > > > > +
> > > > > >  		rc = evm_calc_hash(dentry, xattr_name, xattr_value,
> > > > > > -				   xattr_value_len, xattr_data->type, &digest);
> > > > > > +				   xattr_value_len, xattr_data->type,
> > > > > > +				   digest_ptr);
> > > > > >  		if (rc)
> > > > > >  			break;
> > > > > >  		rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
> > > > > >  					(const char *)xattr_data, xattr_len,
> > > > > > -					digest.digest, digest.hdr.length);
> > > > > > +					digest_ptr->digest,
> > > > > > +					digest_ptr->hdr.length);
> > > > > >  		if (!rc) {
> > > > > >  			inode = d_backing_inode(dentry);
> > > > > >  
> > > > > > @@ -268,8 +281,11 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
> > > > > >  		else
> > > > > >  			evm_status = INTEGRITY_FAIL;
> > > > > >  	}
> > > > > > -	pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length, digest.hdr.length,
> > > > > > -		  digest.digest);
> > > > > > +	pr_debug("digest: (%d) [%*phN]\n", digest_ptr->hdr.length,
> > > > > > +		 digest_ptr->hdr.length, digest_ptr->digest);
> > > > > > +
> > > > > > +	if (digest_ptr && digest_ptr != &digest)
> > > > > > +		kfree(digest_ptr);
> > > > > 
> > > > > What is the actual problem here?  Where is a scatterlist being created from this
> > > > > buffer?  AFAICS it never happens.
> > > > 
> > > > Hi Eric
> > > > 
> > > > it is in public_key_verify_signature(), called by asymmetric_verify()
> > > > and integrity_digsig_verify().
> > > > 
> > > 
> > > Hmm, that's several steps down the stack then.  And not something I had
> > > expected.
> > > 
> > > Perhaps this should be fixed in public_key_verify_signature() instead?  It
> > > already does a kmalloc(), so that allocation size just could be made a bit
> > > larger to get space for a temporary copy of 's' and 'digest'.
> > 
> > Mimi asked to fix it in both IMA and EVM.
> 
> At the time I thought the problem was limited to
> integrity_digsig_verify() and just to the digest.
> 
> I'll leave it up to you and Eric to decide what is the preferable
> solution.

Ok, yes. I think Eric's suggestion of making a copy in
public_key_verify_signature() is better. Will do it.

> > > Or at the very least, struct public_key_signature should have a *very* clear
> > > comment saying that the 's' and 'digest' fields must be located in physically
> > > contiguous memory...
> > 
> > That I could add as an additional patch.
> 
> Thanks, the new patch containing the comment looks fine.

Thanks, not sure if I need to keep it with the new patch (probably
not).

Roberto