Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2eb02aa9 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'fixes-v4.16-rc3' of... 

Merge branch 'fixes-v4.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem fixes from James Morris:

 - keys fixes via David Howells:
      "A collection of fixes for Linux keyrings, mostly thanks to Eric
       Biggers:

        - Fix some PKCS#7 verification issues.

        - Fix handling of unsupported crypto in X.509.

        - Fix too-large allocation in big_key"

 - Seccomp updates via Kees Cook:
      "These are fixes for the get_metadata interface that landed during
       -rc1. While the new selftest is strictly not a bug fix, I think
       it's in the same spirit of avoiding bugs"

 - an IMA build fix from Randy Dunlap

* 'fixes-v4.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  integrity/security: fix digsig.c build error with header file
  KEYS: Use individual pages in big_key for crypto buffers
  X.509: fix NULL dereference when restricting key with unsupported_sig
  X.509: fix BUG_ON() when hash algorithm is unsupported
  PKCS#7: fix direct verification of SignerInfo signature
  PKCS#7: fix certificate blacklisting
  PKCS#7: fix certificate chain verification
  seccomp: add a selftest for get_metadata
  ptrace, seccomp: tweak get_metadata behavior slightly
  seccomp, ptrace: switch get_metadata types to arch independent
parents 65738c6b 120f3b11

crypto/asymmetric_keys/pkcs7_trust.c

+1 −0
Original line number Diff line number Diff line
@@ -106,6 +106,7 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, 
		pr_devel("sinfo %u: Direct signer is key %x\n",

			 sinfo->index, key_serial(key));

		x509 = NULL;

		sig = sinfo->sig;

		goto matched;

	}

	if (PTR_ERR(key) != -ENOKEY)

crypto/asymmetric_keys/pkcs7_verify.c

+7 −5
Original line number Diff line number Diff line
@@ -270,7 +270,7 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, 
				sinfo->index);

			return 0;

		}

		ret = public_key_verify_signature(p->pub, p->sig);

		ret = public_key_verify_signature(p->pub, x509->sig);

		if (ret < 0)

			return ret;

		x509->signer = p;
@@ -366,8 +366,7 @@ static int pkcs7_verify_one(struct pkcs7_message *pkcs7, 
 *

 *  (*) -EBADMSG if some part of the message was invalid, or:

 *

 *  (*) 0 if no signature chains were found to be blacklisted or to contain

 *	unsupported crypto, or:

 *  (*) 0 if a signature chain passed verification, or:

 *

 *  (*) -EKEYREJECTED if a blacklisted key was encountered, or:

 *
@@ -423,8 +422,11 @@ int pkcs7_verify(struct pkcs7_message *pkcs7, 


	for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {

		ret = pkcs7_verify_one(pkcs7, sinfo);

		if (sinfo->blacklisted && actual_ret == -ENOPKG)

		if (sinfo->blacklisted) {

			if (actual_ret == -ENOPKG)

				actual_ret = -EKEYREJECTED;

			continue;

		}

		if (ret < 0) {

			if (ret == -ENOPKG) {

				sinfo->unsupported_crypto = true;

crypto/asymmetric_keys/public_key.c

+3 −1
Original line number Diff line number Diff line
@@ -79,9 +79,11 @@ int public_key_verify_signature(const struct public_key *pkey, 


	BUG_ON(!pkey);

	BUG_ON(!sig);

	BUG_ON(!sig->digest);

	BUG_ON(!sig->s);



	if (!sig->digest)

		return -ENOPKG;



	alg_name = sig->pkey_algo;

	if (strcmp(sig->pkey_algo, "rsa") == 0) {

		/* The data wangled by the RSA algorithm is typically padded

crypto/asymmetric_keys/restrict.c

+13 −8
Original line number Diff line number Diff line
@@ -67,8 +67,9 @@ __setup("ca_keys=", ca_keys_setup); 
 *

 * Returns 0 if the new certificate was accepted, -ENOKEY if we couldn't find a

 * matching parent certificate in the trusted list, -EKEYREJECTED if the

 * signature check fails or the key is blacklisted and some other error if

 * there is a matching certificate but the signature check cannot be performed.

 * signature check fails or the key is blacklisted, -ENOPKG if the signature

 * uses unsupported crypto, or some other error if there is a matching

 * certificate but the signature check cannot be performed.

 */

int restrict_link_by_signature(struct key *dest_keyring,

			       const struct key_type *type,
@@ -88,6 +89,8 @@ int restrict_link_by_signature(struct key *dest_keyring, 
		return -EOPNOTSUPP;



	sig = payload->data[asym_auth];

	if (!sig)

		return -ENOPKG;

	if (!sig->auth_ids[0] && !sig->auth_ids[1])

		return -ENOKEY;
@@ -139,6 +142,8 @@ static int key_or_keyring_common(struct key *dest_keyring, 
		return -EOPNOTSUPP;



	sig = payload->data[asym_auth];

	if (!sig)

		return -ENOPKG;

	if (!sig->auth_ids[0] && !sig->auth_ids[1])

		return -ENOKEY;
@@ -222,9 +227,9 @@ static int key_or_keyring_common(struct key *dest_keyring, 
 *

 * Returns 0 if the new certificate was accepted, -ENOKEY if we

 * couldn't find a matching parent certificate in the trusted list,

 * -EKEYREJECTED if the signature check fails, and some other error if

 * there is a matching certificate but the signature check cannot be

 * performed.

 * -EKEYREJECTED if the signature check fails, -ENOPKG if the signature uses

 * unsupported crypto, or some other error if there is a matching certificate

 * but the signature check cannot be performed.

 */

int restrict_link_by_key_or_keyring(struct key *dest_keyring,

				    const struct key_type *type,
@@ -249,9 +254,9 @@ int restrict_link_by_key_or_keyring(struct key *dest_keyring, 
 *

 * Returns 0 if the new certificate was accepted, -ENOKEY if we

 * couldn't find a matching parent certificate in the trusted list,

 * -EKEYREJECTED if the signature check fails, and some other error if

 * there is a matching certificate but the signature check cannot be

 * performed.

 * -EKEYREJECTED if the signature check fails, -ENOPKG if the signature uses

 * unsupported crypto, or some other error if there is a matching certificate

 * but the signature check cannot be performed.

 */

int restrict_link_by_key_or_keyring_chain(struct key *dest_keyring,

					  const struct key_type *type,

include/uapi/linux/ptrace.h

+2 −2
Original line number Diff line number Diff line
@@ -69,8 +69,8 @@ struct ptrace_peeksiginfo_args { 
#define PTRACE_SECCOMP_GET_METADATA	0x420d



struct seccomp_metadata {

	unsigned long filter_off;	/* Input: which filter */

	unsigned int flags;		/* Output: filter's flags */

	__u64 filter_off;	/* Input: which filter */

	__u64 flags;		/* Output: filter's flags */

};



/* Read signals from a shared (process wide) queue */