Message ID | 20200129093612.16889-1-clayc@hpe.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | KEYS: check the certfile for ASN1 encoding before inserting | expand |
Clay Chang <clayc@hpe.com> wrote: > + if (cert[0] != 0x30 && cert[1] != 0x82) { > + err("Invalid certfile.\n"); > + exit(EXIT_FAILURE); > + } > + I wonder if this is a good enough check. It might be better to actually run it through a utility that will actually check the structure (eg. openssl asn1parse or openssl x509) and check the error code. David
diff --git a/scripts/insert-sys-cert.c b/scripts/insert-sys-cert.c index 8902836c2342..2d9139887ba0 100644 --- a/scripts/insert-sys-cert.c +++ b/scripts/insert-sys-cert.c @@ -311,6 +311,11 @@ int main(int argc, char **argv) if (!cert) exit(EXIT_FAILURE); + if (cert[0] != 0x30 && cert[1] != 0x82) { + err("Invalid certfile.\n"); + exit(EXIT_FAILURE); + } + hdr = map_file(vmlinux_file, &vmlinux_size); if (!hdr) exit(EXIT_FAILURE);
The certfile to be inserted into the kernel must be in ASN1 encoding. This patch implements a guard against invalid certfile. Signed-off-by: Clay Chang <clayc@hpe.com> --- scripts/insert-sys-cert.c | 5 +++++ 1 file changed, 5 insertions(+)