From: Robbie Harwood <rharwood@redhat.com>
To: keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>
Cc: Robbie Harwood <rharwood@redhat.com>
Subject: [PATCH v1 1/2] verify_pefile: relax wrapper length check
Date: Fri, 17 Feb 2023 15:14:34 -0500 [thread overview]
Message-ID: <20230217201435.39784-2-rharwood@redhat.com> (raw)
In-Reply-To: <20230217201435.39784-1-rharwood@redhat.com>
The PE Format Specification (section "The Attribute Certificate Table
(Image Only)") states that `dwLength` is to be rounded up to 8-byte
alignment when used for traversal. Therefore, the field is not required
to be an 8-byte multiple in the first place.
Accordingly, pesign has not performed this alignment since version
0.110. This causes kexec failure on pesign'd binaries with "PEFILE:
Signature wrapper len wrong". Update the comment and relax the check.
See-also: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-attribute-certificate-table-image-only
See-also: https://github.com/rhboot/pesign
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
crypto/asymmetric_keys/verify_pefile.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
index 7553ab18db89..fe1bb374239d 100644
--- a/crypto/asymmetric_keys/verify_pefile.c
+++ b/crypto/asymmetric_keys/verify_pefile.c
@@ -135,11 +135,15 @@ static int pefile_strip_sig_wrapper(const void *pebuf,
pr_debug("sig wrapper = { %x, %x, %x }\n",
wrapper.length, wrapper.revision, wrapper.cert_type);
- /* Both pesign and sbsign round up the length of certificate table
- * (in optional header data directories) to 8 byte alignment.
+ /* sbsign rounds up the length of certificate table (in optional
+ * header data directories) to 8 byte alignment. However, the PE
+ * specification states that while entries are 8-byte aligned, this is
+ * not included in their length, and as a result, pesign has not
+ * rounded up since 0.110.
*/
- if (round_up(wrapper.length, 8) != ctx->sig_len) {
- pr_debug("Signature wrapper len wrong\n");
+ if (wrapper.length > ctx->sig_len) {
+ pr_debug("Signature wrapper bigger than sig len (%x > %x)\n",
+ ctx->sig_len, wrapper.length);
return -ELIBBAD;
}
if (wrapper.revision != WIN_CERT_REVISION_2_0) {
--
2.39.1
next prev parent reply other threads:[~2023-02-17 20:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-17 20:14 [PATCH v1 0/2] Fix kexec of pesigned images Robbie Harwood
2023-02-17 20:14 ` Robbie Harwood [this message]
2023-02-17 21:11 ` [PATCH v1 1/2] verify_pefile: relax wrapper length check Jarkko Sakkinen
2023-02-17 20:14 ` [PATCH v1 2/2] asymmetric_keys: log on fatal failures in PE/pkcs7 Robbie Harwood
2023-02-17 21:14 ` Jarkko Sakkinen
2023-02-17 20:36 ` [PATCH v1 1/2] verify_pefile: relax wrapper length check David Howells
2023-02-17 20:37 ` [PATCH v1 2/2] asymmetric_keys: log on fatal failures in PE/pkcs7 David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230217201435.39784-2-rharwood@redhat.com \
--to=rharwood@redhat.com \
--cc=dhowells@redhat.com \
--cc=keyrings@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.