| Message ID | 20230801050714.28974-1-ebiggers@kernel.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | fsverity: skip PKCS#7 parser when keyring is empty | expand |
Should the whole use of "d" be moved into the else block? On Mon, Jul 31, 2023 at 10:09 PM Eric Biggers <ebiggers@kernel.org> wrote: > > From: Eric Biggers <ebiggers@google.com> > > If an fsverity builtin signature is given for a file but the > ".fs-verity" keyring is empty, there's no real reason to run the PKCS#7 > parser. Skip this to avoid the PKCS#7 attack surface when builtin > signature support is configured into the kernel but is not being used. > > This is a hardening improvement, not a fix per se, but I've added > Fixes and Cc stable to get it out to more users. > > Fixes: 432434c9f8e1 ("fs-verity: support builtin file signatures") > Cc: stable@vger.kernel.org > Signed-off-by: Eric Biggers <ebiggers@google.com> > --- > fs/verity/signature.c | 24 ++++++++++++++++++++---- > 1 file changed, 20 insertions(+), 4 deletions(-) > > diff --git a/fs/verity/signature.c b/fs/verity/signature.c > index b95acae64eac6..f6668d92d8151 100644 > --- a/fs/verity/signature.c > +++ b/fs/verity/signature.c > @@ -70,10 +70,26 @@ int fsverity_verify_signature(const struct fsverity_info *vi, > d->digest_size = cpu_to_le16(hash_alg->digest_size); > memcpy(d->digest, vi->file_digest, hash_alg->digest_size); > > - err = verify_pkcs7_signature(d, sizeof(*d) + hash_alg->digest_size, > - signature, sig_size, fsverity_keyring, > - VERIFYING_UNSPECIFIED_SIGNATURE, > - NULL, NULL); > + if (fsverity_keyring->keys.nr_leaves_on_tree == 0) { > + /* > + * The ".fs-verity" keyring is empty, due to builtin signatures > + * being supported by the kernel but not actually being used. > + * In this case, verify_pkcs7_signature() would always return an > + * error, usually ENOKEY. It could also be EBADMSG if the > + * PKCS#7 is malformed, but that isn't very important to > + * distinguish. So, just skip to ENOKEY to avoid the attack > + * surface of the PKCS#7 parser, which would otherwise be > + * reachable by any task able to execute FS_IOC_ENABLE_VERITY. > + */ > + err = -ENOKEY; > + } else { > + err = verify_pkcs7_signature(d, > + sizeof(*d) + hash_alg->digest_size, > + signature, sig_size, > + fsverity_keyring, > + VERIFYING_UNSPECIFIED_SIGNATURE, > + NULL, NULL); > + } > kfree(d); > > if (err) { > > base-commit: 456ae5fe9b448f44ebe98b391a3bae9c75df465e > -- > 2.41.0 >
On Tue Aug 1, 2023 at 8:07 AM EEST, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > If an fsverity builtin signature is given for a file but the > ".fs-verity" keyring is empty, there's no real reason to run the PKCS#7 > parser. Skip this to avoid the PKCS#7 attack surface when builtin > signature support is configured into the kernel but is not being used. > > This is a hardening improvement, not a fix per se, but I've added > Fixes and Cc stable to get it out to more users. > > Fixes: 432434c9f8e1 ("fs-verity: support builtin file signatures") > Cc: stable@vger.kernel.org > Signed-off-by: Eric Biggers <ebiggers@google.com> > --- > fs/verity/signature.c | 24 ++++++++++++++++++++---- > 1 file changed, 20 insertions(+), 4 deletions(-) > > diff --git a/fs/verity/signature.c b/fs/verity/signature.c > index b95acae64eac6..f6668d92d8151 100644 > --- a/fs/verity/signature.c > +++ b/fs/verity/signature.c > @@ -70,10 +70,26 @@ int fsverity_verify_signature(const struct fsverity_info *vi, > d->digest_size = cpu_to_le16(hash_alg->digest_size); > memcpy(d->digest, vi->file_digest, hash_alg->digest_size); > > - err = verify_pkcs7_signature(d, sizeof(*d) + hash_alg->digest_size, > - signature, sig_size, fsverity_keyring, > - VERIFYING_UNSPECIFIED_SIGNATURE, > - NULL, NULL); > + if (fsverity_keyring->keys.nr_leaves_on_tree == 0) { > + /* > + * The ".fs-verity" keyring is empty, due to builtin signatures > + * being supported by the kernel but not actually being used. > + * In this case, verify_pkcs7_signature() would always return an > + * error, usually ENOKEY. It could also be EBADMSG if the > + * PKCS#7 is malformed, but that isn't very important to > + * distinguish. So, just skip to ENOKEY to avoid the attack > + * surface of the PKCS#7 parser, which would otherwise be > + * reachable by any task able to execute FS_IOC_ENABLE_VERITY. > + */ > + err = -ENOKEY; > + } else { > + err = verify_pkcs7_signature(d, > + sizeof(*d) + hash_alg->digest_size, > + signature, sig_size, > + fsverity_keyring, > + VERIFYING_UNSPECIFIED_SIGNATURE, > + NULL, NULL); > + } > kfree(d); > > if (err) { > > base-commit: 456ae5fe9b448f44ebe98b391a3bae9c75df465e > -- > 2.41.0 Acked-by: Jarkko Sakkinen <jarkko@kernel.org> BR, Jarkko
On Tue, Aug 01, 2023 at 09:07:44AM -0700, Victor Hsieh wrote:
> Should the whole use of "d" be moved into the else block?
In v2, changed to use an early return instead.
- Eric
diff --git a/fs/verity/signature.c b/fs/verity/signature.c index b95acae64eac6..f6668d92d8151 100644 --- a/fs/verity/signature.c +++ b/fs/verity/signature.c @@ -70,10 +70,26 @@ int fsverity_verify_signature(const struct fsverity_info *vi, d->digest_size = cpu_to_le16(hash_alg->digest_size); memcpy(d->digest, vi->file_digest, hash_alg->digest_size); - err = verify_pkcs7_signature(d, sizeof(*d) + hash_alg->digest_size, - signature, sig_size, fsverity_keyring, - VERIFYING_UNSPECIFIED_SIGNATURE, - NULL, NULL); + if (fsverity_keyring->keys.nr_leaves_on_tree == 0) { + /* + * The ".fs-verity" keyring is empty, due to builtin signatures + * being supported by the kernel but not actually being used. + * In this case, verify_pkcs7_signature() would always return an + * error, usually ENOKEY. It could also be EBADMSG if the + * PKCS#7 is malformed, but that isn't very important to + * distinguish. So, just skip to ENOKEY to avoid the attack + * surface of the PKCS#7 parser, which would otherwise be + * reachable by any task able to execute FS_IOC_ENABLE_VERITY. + */ + err = -ENOKEY; + } else { + err = verify_pkcs7_signature(d, + sizeof(*d) + hash_alg->digest_size, + signature, sig_size, + fsverity_keyring, + VERIFYING_UNSPECIFIED_SIGNATURE, + NULL, NULL); + } kfree(d); if (err) {