Re: [PATCH v1 1/2] verify_pefile: relax wrapper length check

From: Jarkko Sakkinen <jarkko@kernel.org>
To: Robbie Harwood <rharwood@redhat.com>
Cc: keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>
Subject: Re: [PATCH v1 1/2] verify_pefile: relax wrapper length check
Date: Fri, 17 Feb 2023 23:11:07 +0200	[thread overview]
Message-ID: <Y+/taw1DJV+sGQuj@kernel.org> (raw)
In-Reply-To: <20230217201435.39784-2-rharwood@redhat.com>

On Fri, Feb 17, 2023 at 03:14:34PM -0500, Robbie Harwood wrote:
> The PE Format Specification (section "The Attribute Certificate Table
> (Image Only)") states that `dwLength` is to be rounded up to 8-byte
> alignment when used for traversal.  Therefore, the field is not required
> to be an 8-byte multiple in the first place.
> 
> Accordingly, pesign has not performed this alignment since version
> 0.110.  This causes kexec failure on pesign'd binaries with "PEFILE:
> Signature wrapper len wrong".  Update the comment and relax the check.
> 
> See-also: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-attribute-certificate-table-image-only
> See-also: https://github.com/rhboot/pesign
> Signed-off-by: Robbie Harwood <rharwood@redhat.com>

OK, makes sense but what does relaxing this bring up to the table?

I.e. I do get the argument but do not see the motivation.

> ---
>  crypto/asymmetric_keys/verify_pefile.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
> 
> diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
> index 7553ab18db89..fe1bb374239d 100644
> --- a/crypto/asymmetric_keys/verify_pefile.c
> +++ b/crypto/asymmetric_keys/verify_pefile.c
> @@ -135,11 +135,15 @@ static int pefile_strip_sig_wrapper(const void *pebuf,
>  	pr_debug("sig wrapper = { %x, %x, %x }\n",
>  		 wrapper.length, wrapper.revision, wrapper.cert_type);
>  
> -	/* Both pesign and sbsign round up the length of certificate table
> -	 * (in optional header data directories) to 8 byte alignment.
> +	/* sbsign rounds up the length of certificate table (in optional
> +	 * header data directories) to 8 byte alignment.  However, the PE
> +	 * specification states that while entries are 8-byte aligned, this is
> +	 * not included in their length, and as a result, pesign has not
> +	 * rounded up since 0.110.
>  	 */
> -	if (round_up(wrapper.length, 8) != ctx->sig_len) {
> -		pr_debug("Signature wrapper len wrong\n");
> +	if (wrapper.length > ctx->sig_len) {
> +		pr_debug("Signature wrapper bigger than sig len (%x > %x)\n",
> +			 ctx->sig_len, wrapper.length);
>  		return -ELIBBAD;
>  	}
>  	if (wrapper.revision != WIN_CERT_REVISION_2_0) {
> -- 
> 2.39.1
> 

BR, Jarkko