subject:"Re\: \[RFC PATCH v4 1\/4\] KEYS\: special dot prefixed keyring name bug fix"

Re: [RFC PATCH v4 1/4] KEYS: special dot prefixed keyring name bug fix

2014-05-30 Thread Dmitry Kasatkin

On 30 May 2014 22:12, Mimi Zohar  wrote:
> On Fri, 2014-05-30 at 21:24 +0300, Dmitry Kasatkin wrote:
>> On 30 May 2014 20:58, "Mimi Zohar"  wrote:
>> >
>> > On Fri, 2014-05-30 at 18:58 +0300, Dmitry Kasatkin wrote:
>> > > On 28 May 2014 18:09, Mimi Zohar  wrote:
>> > > > Dot prefixed keyring names are supposed to be reserved for the
>> > > > kernel, but add_key() calls key_get_type_from_user(), which
>> > > > incorrectly verifies the 'type' field, not the 'description' field.
>> > > > This patch verifies the 'description' field isn't dot prefixed,
>> > > > when creating a new keyring, and removes the dot prefix test in
>> > > > key_get_type_from_user().
>> > > >
>> > > > Reported-by: Dmitry Kasatkin 
>> > > > Cc: David Howells 
>> > > > Signed-off-by: Mimi Zohar 
>> > > > ---
>> > > >  security/keys/keyctl.c | 6 --
>> > > >  1 file changed, 4 insertions(+), 2 deletions(-)
>> > > >
>> > > > diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
>> > > > index cd5bd0c..9e9a762 100644
>> > > > --- a/security/keys/keyctl.c
>> > > > +++ b/security/keys/keyctl.c
>> > > > @@ -37,8 +37,6 @@ static int key_get_type_from_user(char *type,
>> > > > return ret;
>> > > > if (ret == 0 || ret >= len)
>> > > > return -EINVAL;
>> > > > -   if (type[0] == '.')
>> > > > -   return -EPERM;
>> > > > type[len - 1] = '\0';
>> > > > return 0;
>> > > >  }
>> > > > @@ -87,6 +85,10 @@ SYSCALL_DEFINE5(add_key, const char __user *,
>> _type,
>> > > > kfree(description);
>> > > > description = NULL;
>> > > > }
>> > > > +   if (description[0] == '.') {
>> > > > +   ret = -EPERM;
>> > > > +   goto error2;
>> > > > +   }
>> > >
>> > > 1. 3 lines above "discription = NULL" will cause kernel oops...
>> > > It happens when using empty description... like:
>> > >
>> > > cat x509_ima.der | keyctl padd asymmetric "" keyid
>> >
>> > Right, that should be 'else if'.
>> >
>> > > 2. It prevents adding trusted keys to ".ima" from user space...
>> > > This is NOT what we want... right?
>> >
>> > It prevents creating a dot prefixed keyring.
>> >
>>
>> May be. But it prevents also adding the key
>> It needs to distinguish key adding and keyring adding then...
>
> Perhaps, but assuming you created a keyring on @u, you would still need
> to look up the keyid and use it.  The same is true here.  Instead of
> using "keyctl search @u keyring _ima", you would use "keyctl describe %
> keyring:.ima".  The first field is the keyring id.
>
> Mimi
>

Not perhaps, but for sure.
In the case of adding the key, "description" is not a keyring name...
it is a key name.
In the case of adding keyring, "description" is a keyring name...

- Dmitry

-- 
Thanks,
Dmitry
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC PATCH v4 1/4] KEYS: special dot prefixed keyring name bug fix

2014-05-30 Thread Mimi Zohar

On Fri, 2014-05-30 at 21:24 +0300, Dmitry Kasatkin wrote: 
> On 30 May 2014 20:58, "Mimi Zohar"  wrote:
> >
> > On Fri, 2014-05-30 at 18:58 +0300, Dmitry Kasatkin wrote:
> > > On 28 May 2014 18:09, Mimi Zohar  wrote:
> > > > Dot prefixed keyring names are supposed to be reserved for the
> > > > kernel, but add_key() calls key_get_type_from_user(), which
> > > > incorrectly verifies the 'type' field, not the 'description' field.
> > > > This patch verifies the 'description' field isn't dot prefixed,
> > > > when creating a new keyring, and removes the dot prefix test in
> > > > key_get_type_from_user().
> > > >
> > > > Reported-by: Dmitry Kasatkin 
> > > > Cc: David Howells 
> > > > Signed-off-by: Mimi Zohar 
> > > > ---
> > > >  security/keys/keyctl.c | 6 --
> > > >  1 file changed, 4 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
> > > > index cd5bd0c..9e9a762 100644
> > > > --- a/security/keys/keyctl.c
> > > > +++ b/security/keys/keyctl.c
> > > > @@ -37,8 +37,6 @@ static int key_get_type_from_user(char *type,
> > > > return ret;
> > > > if (ret == 0 || ret >= len)
> > > > return -EINVAL;
> > > > -   if (type[0] == '.')
> > > > -   return -EPERM;
> > > > type[len - 1] = '\0';
> > > > return 0;
> > > >  }
> > > > @@ -87,6 +85,10 @@ SYSCALL_DEFINE5(add_key, const char __user *,
> _type,
> > > > kfree(description);
> > > > description = NULL;
> > > > }
> > > > +   if (description[0] == '.') {
> > > > +   ret = -EPERM;
> > > > +   goto error2;
> > > > +   }
> > >
> > > 1. 3 lines above "discription = NULL" will cause kernel oops...
> > > It happens when using empty description... like:
> > >
> > > cat x509_ima.der | keyctl padd asymmetric "" keyid
> >
> > Right, that should be 'else if'.
> >
> > > 2. It prevents adding trusted keys to ".ima" from user space...
> > > This is NOT what we want... right?
> >
> > It prevents creating a dot prefixed keyring.
> >
> 
> May be. But it prevents also adding the key
> It needs to distinguish key adding and keyring adding then...

Perhaps, but assuming you created a keyring on @u, you would still need
to look up the keyid and use it.  The same is true here.  Instead of
using "keyctl search @u keyring _ima", you would use "keyctl describe %
keyring:.ima".  The first field is the keyring id.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC PATCH v4 1/4] KEYS: special dot prefixed keyring name bug fix

2014-05-30 Thread Mimi Zohar

On Fri, 2014-05-30 at 18:58 +0300, Dmitry Kasatkin wrote: 
> On 28 May 2014 18:09, Mimi Zohar  wrote:
> > Dot prefixed keyring names are supposed to be reserved for the
> > kernel, but add_key() calls key_get_type_from_user(), which
> > incorrectly verifies the 'type' field, not the 'description' field.
> > This patch verifies the 'description' field isn't dot prefixed,
> > when creating a new keyring, and removes the dot prefix test in
> > key_get_type_from_user().
> >
> > Reported-by: Dmitry Kasatkin 
> > Cc: David Howells 
> > Signed-off-by: Mimi Zohar 
> > ---
> >  security/keys/keyctl.c | 6 --
> >  1 file changed, 4 insertions(+), 2 deletions(-)
> >
> > diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
> > index cd5bd0c..9e9a762 100644
> > --- a/security/keys/keyctl.c
> > +++ b/security/keys/keyctl.c
> > @@ -37,8 +37,6 @@ static int key_get_type_from_user(char *type,
> > return ret;
> > if (ret == 0 || ret >= len)
> > return -EINVAL;
> > -   if (type[0] == '.')
> > -   return -EPERM;
> > type[len - 1] = '\0';
> > return 0;
> >  }
> > @@ -87,6 +85,10 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
> > kfree(description);
> > description = NULL;
> > }
> > +   if (description[0] == '.') {
> > +   ret = -EPERM;
> > +   goto error2;
> > +   }
> 
> 1. 3 lines above "discription = NULL" will cause kernel oops...
> It happens when using empty description... like:
> 
> cat x509_ima.der | keyctl padd asymmetric "" keyid

Right, that should be 'else if'. 

> 2. It prevents adding trusted keys to ".ima" from user space...
> This is NOT what we want... right?

It prevents creating a dot prefixed keyring.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC PATCH v4 1/4] KEYS: special dot prefixed keyring name bug fix

2014-05-30 Thread Dmitry Kasatkin

On 28 May 2014 18:09, Mimi Zohar  wrote:
> Dot prefixed keyring names are supposed to be reserved for the
> kernel, but add_key() calls key_get_type_from_user(), which
> incorrectly verifies the 'type' field, not the 'description' field.
> This patch verifies the 'description' field isn't dot prefixed,
> when creating a new keyring, and removes the dot prefix test in
> key_get_type_from_user().
>
> Reported-by: Dmitry Kasatkin 
> Cc: David Howells 
> Signed-off-by: Mimi Zohar 
> ---
>  security/keys/keyctl.c | 6 --
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
> index cd5bd0c..9e9a762 100644
> --- a/security/keys/keyctl.c
> +++ b/security/keys/keyctl.c
> @@ -37,8 +37,6 @@ static int key_get_type_from_user(char *type,
> return ret;
> if (ret == 0 || ret >= len)
> return -EINVAL;
> -   if (type[0] == '.')
> -   return -EPERM;
> type[len - 1] = '\0';
> return 0;
>  }
> @@ -87,6 +85,10 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
> kfree(description);
> description = NULL;
> }
> +   if (description[0] == '.') {
> +   ret = -EPERM;
> +   goto error2;
> +   }

1. 3 lines above "discription = NULL" will cause kernel oops...
It happens when using empty description... like:

cat x509_ima.der | keyctl padd asymmetric "" keyid

2. It prevents adding trusted keys to ".ima" from user space...
This is NOT what we want... right?


- Dmitry


> }
>
> /* pull the payload in if one was supplied */
> --
> 1.8.1.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe 
> linux-security-module" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Thanks,
Dmitry
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC PATCH v4 1/4] KEYS: special dot prefixed keyring name bug fix

2014-05-30 Thread Dmitry Kasatkin

On 28 May 2014 18:09, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
 Dot prefixed keyring names are supposed to be reserved for the
 kernel, but add_key() calls key_get_type_from_user(), which
 incorrectly verifies the 'type' field, not the 'description' field.
 This patch verifies the 'description' field isn't dot prefixed,
 when creating a new keyring, and removes the dot prefix test in
 key_get_type_from_user().

 Reported-by: Dmitry Kasatkin d.kasat...@samsung.com
 Cc: David Howells dhowe...@redhat.com
 Signed-off-by: Mimi Zohar zo...@linux.vnet.ibm.com
 ---
  security/keys/keyctl.c | 6 --
  1 file changed, 4 insertions(+), 2 deletions(-)

 diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
 index cd5bd0c..9e9a762 100644
 --- a/security/keys/keyctl.c
 +++ b/security/keys/keyctl.c
 @@ -37,8 +37,6 @@ static int key_get_type_from_user(char *type,
 return ret;
 if (ret == 0 || ret = len)
 return -EINVAL;
 -   if (type[0] == '.')
 -   return -EPERM;
 type[len - 1] = '\0';
 return 0;
  }
 @@ -87,6 +85,10 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
 kfree(description);
 description = NULL;
 }
 +   if (description[0] == '.') {
 +   ret = -EPERM;
 +   goto error2;
 +   }

1. 3 lines above discription = NULL will cause kernel oops...
It happens when using empty description... like:

cat x509_ima.der | keyctl padd asymmetric  keyid

2. It prevents adding trusted keys to .ima from user space...
This is NOT what we want... right?


- Dmitry


 }

 /* pull the payload in if one was supplied */
 --
 1.8.1.4

 --
 To unsubscribe from this list: send the line unsubscribe 
 linux-security-module in
 the body of a message to majord...@vger.kernel.org
 More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Thanks,
Dmitry
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC PATCH v4 1/4] KEYS: special dot prefixed keyring name bug fix

2014-05-30 Thread Mimi Zohar

On Fri, 2014-05-30 at 18:58 +0300, Dmitry Kasatkin wrote: 
 On 28 May 2014 18:09, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
  Dot prefixed keyring names are supposed to be reserved for the
  kernel, but add_key() calls key_get_type_from_user(), which
  incorrectly verifies the 'type' field, not the 'description' field.
  This patch verifies the 'description' field isn't dot prefixed,
  when creating a new keyring, and removes the dot prefix test in
  key_get_type_from_user().
 
  Reported-by: Dmitry Kasatkin d.kasat...@samsung.com
  Cc: David Howells dhowe...@redhat.com
  Signed-off-by: Mimi Zohar zo...@linux.vnet.ibm.com
  ---
   security/keys/keyctl.c | 6 --
   1 file changed, 4 insertions(+), 2 deletions(-)
 
  diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
  index cd5bd0c..9e9a762 100644
  --- a/security/keys/keyctl.c
  +++ b/security/keys/keyctl.c
  @@ -37,8 +37,6 @@ static int key_get_type_from_user(char *type,
  return ret;
  if (ret == 0 || ret = len)
  return -EINVAL;
  -   if (type[0] == '.')
  -   return -EPERM;
  type[len - 1] = '\0';
  return 0;
   }
  @@ -87,6 +85,10 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
  kfree(description);
  description = NULL;
  }
  +   if (description[0] == '.') {
  +   ret = -EPERM;
  +   goto error2;
  +   }
 
 1. 3 lines above discription = NULL will cause kernel oops...
 It happens when using empty description... like:
 
 cat x509_ima.der | keyctl padd asymmetric  keyid

Right, that should be 'else if'. 

 2. It prevents adding trusted keys to .ima from user space...
 This is NOT what we want... right?

It prevents creating a dot prefixed keyring.

Mimi

--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC PATCH v4 1/4] KEYS: special dot prefixed keyring name bug fix

2014-05-30 Thread Mimi Zohar

On Fri, 2014-05-30 at 21:24 +0300, Dmitry Kasatkin wrote: 
 On 30 May 2014 20:58, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
 
  On Fri, 2014-05-30 at 18:58 +0300, Dmitry Kasatkin wrote:
   On 28 May 2014 18:09, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
Dot prefixed keyring names are supposed to be reserved for the
kernel, but add_key() calls key_get_type_from_user(), which
incorrectly verifies the 'type' field, not the 'description' field.
This patch verifies the 'description' field isn't dot prefixed,
when creating a new keyring, and removes the dot prefix test in
key_get_type_from_user().
   
Reported-by: Dmitry Kasatkin d.kasat...@samsung.com
Cc: David Howells dhowe...@redhat.com
Signed-off-by: Mimi Zohar zo...@linux.vnet.ibm.com
---
 security/keys/keyctl.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)
   
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index cd5bd0c..9e9a762 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -37,8 +37,6 @@ static int key_get_type_from_user(char *type,
return ret;
if (ret == 0 || ret = len)
return -EINVAL;
-   if (type[0] == '.')
-   return -EPERM;
type[len - 1] = '\0';
return 0;
 }
@@ -87,6 +85,10 @@ SYSCALL_DEFINE5(add_key, const char __user *,
 _type,
kfree(description);
description = NULL;
}
+   if (description[0] == '.') {
+   ret = -EPERM;
+   goto error2;
+   }
  
   1. 3 lines above discription = NULL will cause kernel oops...
   It happens when using empty description... like:
  
   cat x509_ima.der | keyctl padd asymmetric  keyid
 
  Right, that should be 'else if'.
 
   2. It prevents adding trusted keys to .ima from user space...
   This is NOT what we want... right?
 
  It prevents creating a dot prefixed keyring.
 
 
 May be. But it prevents also adding the key
 It needs to distinguish key adding and keyring adding then...

Perhaps, but assuming you created a keyring on @u, you would still need
to look up the keyid and use it.  The same is true here.  Instead of
using keyctl search @u keyring _ima, you would use keyctl describe %
keyring:.ima.  The first field is the keyring id.

Mimi

--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC PATCH v4 1/4] KEYS: special dot prefixed keyring name bug fix

2014-05-30 Thread Dmitry Kasatkin

On 30 May 2014 22:12, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
 On Fri, 2014-05-30 at 21:24 +0300, Dmitry Kasatkin wrote:
 On 30 May 2014 20:58, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
 
  On Fri, 2014-05-30 at 18:58 +0300, Dmitry Kasatkin wrote:
   On 28 May 2014 18:09, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
Dot prefixed keyring names are supposed to be reserved for the
kernel, but add_key() calls key_get_type_from_user(), which
incorrectly verifies the 'type' field, not the 'description' field.
This patch verifies the 'description' field isn't dot prefixed,
when creating a new keyring, and removes the dot prefix test in
key_get_type_from_user().
   
Reported-by: Dmitry Kasatkin d.kasat...@samsung.com
Cc: David Howells dhowe...@redhat.com
Signed-off-by: Mimi Zohar zo...@linux.vnet.ibm.com
---
 security/keys/keyctl.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)
   
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index cd5bd0c..9e9a762 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -37,8 +37,6 @@ static int key_get_type_from_user(char *type,
return ret;
if (ret == 0 || ret = len)
return -EINVAL;
-   if (type[0] == '.')
-   return -EPERM;
type[len - 1] = '\0';
return 0;
 }
@@ -87,6 +85,10 @@ SYSCALL_DEFINE5(add_key, const char __user *,
 _type,
kfree(description);
description = NULL;
}
+   if (description[0] == '.') {
+   ret = -EPERM;
+   goto error2;
+   }
  
   1. 3 lines above discription = NULL will cause kernel oops...
   It happens when using empty description... like:
  
   cat x509_ima.der | keyctl padd asymmetric  keyid
 
  Right, that should be 'else if'.
 
   2. It prevents adding trusted keys to .ima from user space...
   This is NOT what we want... right?
 
  It prevents creating a dot prefixed keyring.
 

 May be. But it prevents also adding the key
 It needs to distinguish key adding and keyring adding then...

 Perhaps, but assuming you created a keyring on @u, you would still need
 to look up the keyid and use it.  The same is true here.  Instead of
 using keyctl search @u keyring _ima, you would use keyctl describe %
 keyring:.ima.  The first field is the keyring id.

 Mimi


Not perhaps, but for sure.
In the case of adding the key, description is not a keyring name...
it is a key name.
In the case of adding keyring, description is a keyring name...

- Dmitry

-- 
Thanks,
Dmitry
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC PATCH v4 1/4] KEYS: special dot prefixed keyring name bug fix

Re: [RFC PATCH v4 1/4] KEYS: special dot prefixed keyring name bug fix

Re: [RFC PATCH v4 1/4] KEYS: special dot prefixed keyring name bug fix

Re: [RFC PATCH v4 1/4] KEYS: special dot prefixed keyring name bug fix

Re: [RFC PATCH v4 1/4] KEYS: special dot prefixed keyring name bug fix

Re: [RFC PATCH v4 1/4] KEYS: special dot prefixed keyring name bug fix

Re: [RFC PATCH v4 1/4] KEYS: special dot prefixed keyring name bug fix

Re: [RFC PATCH v4 1/4] KEYS: special dot prefixed keyring name bug fix

8 matches

Site Navigation

Mail list logo

Footer information