From 25add8cf99c9ec8b8dc0acd8b9241e963fc0d29c Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Sun, 15 Jan 2012 11:05:59 +0900 Subject: TOMOYO: Accept \000 as a valid character. TOMOYO 2.5 in Linux 3.2 and later handles Unix domain socket's address. Thus, tomoyo_correct_word2() needs to accept \000 as a valid character, or TOMOYO 2.5 cannot handle Unix domain's abstract socket address. Reported-by: Steven Allen Signed-off-by: Tetsuo Handa CC: stable@vger.kernel.org [3.2+] Signed-off-by: James Morris --- security/tomoyo/util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'security') diff --git a/security/tomoyo/util.c b/security/tomoyo/util.c index 4a9b4b2eb75..867558c9833 100644 --- a/security/tomoyo/util.c +++ b/security/tomoyo/util.c @@ -492,13 +492,13 @@ static bool tomoyo_correct_word2(const char *string, size_t len) if (d < '0' || d > '7' || e < '0' || e > '7') break; c = tomoyo_make_byte(c, d, e); - if (tomoyo_invalid(c)) - continue; /* pattern is not \000 */ + if (c <= ' ' || c >= 127) + continue; } goto out; } else if (in_repetition && c == '/') { goto out; - } else if (tomoyo_invalid(c)) { + } else if (c <= ' ' || c >= 127) { goto out; } } -- cgit v1.2.3 From efde8b6e16f11e7d1681c68d86c7fd51053cada7 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 17 Jan 2012 20:39:40 +0000 Subject: KEYS: Add missing smp_rmb() primitives to the keyring search code Add missing smp_rmb() primitives to the keyring search code. When keyring payloads are appended to without replacement (thus using up spare slots in the key pointer array), an smp_wmb() is issued between the pointer assignment and the increment of the key count (nkeys). There should be corresponding read barriers between the read of nkeys and dereferences of keys[n] when n is dependent on the value of nkeys. Signed-off-by: David Howells Reviewed-by: Paul E. McKenney Signed-off-by: James Morris --- security/keys/gc.c | 4 +++- security/keys/keyring.c | 22 +++++++++++++++------- 2 files changed, 18 insertions(+), 8 deletions(-) (limited to 'security') diff --git a/security/keys/gc.c b/security/keys/gc.c index bf4d8da5a79..a42b45531aa 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c @@ -145,7 +145,9 @@ static void key_gc_keyring(struct key *keyring, time_t limit) if (!klist) goto unlock_dont_gc; - for (loop = klist->nkeys - 1; loop >= 0; loop--) { + loop = klist->nkeys; + smp_rmb(); + for (loop--; loop >= 0; loop--) { key = klist->keys[loop]; if (test_bit(KEY_FLAG_DEAD, &key->flags) || (key->expiry > 0 && key->expiry <= limit)) diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 37a7f3b2885..d605f75292e 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -319,7 +319,7 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref, struct key *keyring, *key; key_ref_t key_ref; long err; - int sp, kix; + int sp, nkeys, kix; keyring = key_ref_to_ptr(keyring_ref); possessed = is_key_possessed(keyring_ref); @@ -380,7 +380,9 @@ descend: goto not_this_keyring; /* iterate through the keys in this keyring first */ - for (kix = 0; kix < keylist->nkeys; kix++) { + nkeys = keylist->nkeys; + smp_rmb(); + for (kix = 0; kix < nkeys; kix++) { key = keylist->keys[kix]; kflags = key->flags; @@ -421,7 +423,9 @@ descend: /* search through the keyrings nested in this one */ kix = 0; ascend: - for (; kix < keylist->nkeys; kix++) { + nkeys = keylist->nkeys; + smp_rmb(); + for (; kix < nkeys; kix++) { key = keylist->keys[kix]; if (key->type != &key_type_keyring) continue; @@ -515,7 +519,7 @@ key_ref_t __keyring_search_one(key_ref_t keyring_ref, struct keyring_list *klist; unsigned long possessed; struct key *keyring, *key; - int loop; + int nkeys, loop; keyring = key_ref_to_ptr(keyring_ref); possessed = is_key_possessed(keyring_ref); @@ -524,7 +528,9 @@ key_ref_t __keyring_search_one(key_ref_t keyring_ref, klist = rcu_dereference(keyring->payload.subscriptions); if (klist) { - for (loop = 0; loop < klist->nkeys; loop++) { + nkeys = klist->nkeys; + smp_rmb(); + for (loop = 0; loop < nkeys ; loop++) { key = klist->keys[loop]; if (key->type == ktype && @@ -622,7 +628,7 @@ static int keyring_detect_cycle(struct key *A, struct key *B) struct keyring_list *keylist; struct key *subtree, *key; - int sp, kix, ret; + int sp, nkeys, kix, ret; rcu_read_lock(); @@ -645,7 +651,9 @@ descend: ascend: /* iterate through the remaining keys in this keyring */ - for (; kix < keylist->nkeys; kix++) { + nkeys = keylist->nkeys; + smp_rmb(); + for (; kix < nkeys; kix++) { key = keylist->keys[kix]; if (key == A) -- cgit v1.2.3 From ee0b31a25a010116f44fca6c96f4516d417793dd Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Tue, 17 Jan 2012 20:39:51 +0000 Subject: keys: fix trusted/encrypted keys sparse rcu_assign_pointer messages Define rcu_assign_keypointer(), which uses the key payload.rcudata instead of payload.data, to resolve the CONFIG_SPARSE_RCU_POINTER message: "incompatible types in comparison expression (different address spaces)" Replace the rcu_assign_pointer() calls in encrypted/trusted keys with rcu_assign_keypointer(). Signed-off-by: Mimi Zohar Signed-off-by: David Howells Signed-off-by: James Morris --- include/linux/key.h | 3 +++ security/keys/encrypted-keys/encrypted.c | 4 ++-- security/keys/encrypted-keys/masterkey_trusted.c | 2 ++ security/keys/trusted.c | 4 ++-- 4 files changed, 9 insertions(+), 4 deletions(-) (limited to 'security') diff --git a/include/linux/key.h b/include/linux/key.h index 183a6af7715..bfc014c5735 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -293,6 +293,9 @@ static inline bool key_is_instantiated(const struct key *key) (rcu_dereference_protected((KEY)->payload.rcudata, \ rwsem_is_locked(&((struct key *)(KEY))->sem))) +#define rcu_assign_keypointer(KEY, PAYLOAD) \ + (rcu_assign_pointer((KEY)->payload.rcudata, PAYLOAD)) + #ifdef CONFIG_SYSCTL extern ctl_table key_sysctls[]; #endif diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c index 41144f71d61..d91efb6901e 100644 --- a/security/keys/encrypted-keys/encrypted.c +++ b/security/keys/encrypted-keys/encrypted.c @@ -810,7 +810,7 @@ static int encrypted_instantiate(struct key *key, const void *data, goto out; } - rcu_assign_pointer(key->payload.data, epayload); + rcu_assign_keypointer(key, epayload); out: kfree(datablob); return ret; @@ -874,7 +874,7 @@ static int encrypted_update(struct key *key, const void *data, size_t datalen) memcpy(new_epayload->payload_data, epayload->payload_data, epayload->payload_datalen); - rcu_assign_pointer(key->payload.data, new_epayload); + rcu_assign_keypointer(key, new_epayload); call_rcu(&epayload->rcu, encrypted_rcu_free); out: kfree(buf); diff --git a/security/keys/encrypted-keys/masterkey_trusted.c b/security/keys/encrypted-keys/masterkey_trusted.c index df87272e3f5..8c16c3e472e 100644 --- a/security/keys/encrypted-keys/masterkey_trusted.c +++ b/security/keys/encrypted-keys/masterkey_trusted.c @@ -18,6 +18,8 @@ #include #include #include +#include +#include "encrypted.h" /* * request_trusted_key - request the trusted key diff --git a/security/keys/trusted.c b/security/keys/trusted.c index 0ed5fdf238a..2d5d041f204 100644 --- a/security/keys/trusted.c +++ b/security/keys/trusted.c @@ -993,7 +993,7 @@ out: kfree(datablob); kfree(options); if (!ret) - rcu_assign_pointer(key->payload.data, payload); + rcu_assign_keypointer(key, payload); else kfree(payload); return ret; @@ -1067,7 +1067,7 @@ static int trusted_update(struct key *key, const void *data, size_t datalen) goto out; } } - rcu_assign_pointer(key->payload.data, new_p); + rcu_assign_keypointer(key, new_p); call_rcu(&p->rcu, trusted_rcu_free); out: kfree(datablob); -- cgit v1.2.3 From 6ac6172a935d1faf7ef259802267657bc0007a62 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Tue, 17 Jan 2012 20:40:02 +0000 Subject: encrypted-keys: fix rcu and sparse messages Enabling CONFIG_PROVE_RCU and CONFIG_SPARSE_RCU_POINTER resulted in "suspicious rcu_dereference_check() usage!" and "incompatible types in comparison expression (different address spaces)" messages. Access the masterkey directly when holding the rwsem. Changelog v1: - Use either rcu_read_lock()/rcu_derefence_key()/rcu_read_unlock() or remove the unnecessary rcu_derefence() - David Howells Reported-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar Signed-off-by: David Howells Signed-off-by: James Morris --- security/keys/encrypted-keys/encrypted.c | 2 +- security/keys/encrypted-keys/masterkey_trusted.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'security') diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c index d91efb6901e..2d1bb8af769 100644 --- a/security/keys/encrypted-keys/encrypted.c +++ b/security/keys/encrypted-keys/encrypted.c @@ -314,7 +314,7 @@ static struct key *request_user_key(const char *master_desc, u8 **master_key, goto error; down_read(&ukey->sem); - upayload = rcu_dereference(ukey->payload.data); + upayload = ukey->payload.data; *master_key = upayload->data; *master_keylen = upayload->datalen; error: diff --git a/security/keys/encrypted-keys/masterkey_trusted.c b/security/keys/encrypted-keys/masterkey_trusted.c index 8c16c3e472e..013f7e5d3a2 100644 --- a/security/keys/encrypted-keys/masterkey_trusted.c +++ b/security/keys/encrypted-keys/masterkey_trusted.c @@ -39,7 +39,7 @@ struct key *request_trusted_key(const char *trusted_desc, goto error; down_read(&tkey->sem); - tpayload = rcu_dereference(tkey->payload.data); + tpayload = tkey->payload.data; *master_key = tpayload->key; *master_keylen = tpayload->key_len; error: -- cgit v1.2.3 From 5e8898e97a5db4125d944070922164d1d09a2689 Mon Sep 17 00:00:00 2001 From: Dmitry Kasatkin Date: Tue, 17 Jan 2012 17:12:03 +0200 Subject: lib: digital signature config option name change It was reported that DIGSIG is confusing name for digital signature module. It was suggested to rename DIGSIG to SIGNATURE. Requested-by: Linus Torvalds Suggested-by: Pavel Machek Signed-off-by: Dmitry Kasatkin Signed-off-by: James Morris --- include/linux/digsig.h | 4 ++-- lib/Kconfig | 2 +- lib/Makefile | 2 +- security/integrity/Kconfig | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) (limited to 'security') diff --git a/include/linux/digsig.h b/include/linux/digsig.h index efae755017d..b01558b1581 100644 --- a/include/linux/digsig.h +++ b/include/linux/digsig.h @@ -46,7 +46,7 @@ struct signature_hdr { char mpi[0]; } __packed; -#if defined(CONFIG_DIGSIG) || defined(CONFIG_DIGSIG_MODULE) +#if defined(CONFIG_SIGNATURE) || defined(CONFIG_SIGNATURE_MODULE) int digsig_verify(struct key *keyring, const char *sig, int siglen, const char *digest, int digestlen); @@ -59,6 +59,6 @@ static inline int digsig_verify(struct key *keyring, const char *sig, return -EOPNOTSUPP; } -#endif /* CONFIG_DIGSIG */ +#endif /* CONFIG_SIGNATURE */ #endif /* _DIGSIG_H */ diff --git a/lib/Kconfig b/lib/Kconfig index 201e1b33d72..854735d96dc 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -302,7 +302,7 @@ config MPILIB_EXTRA This code in unnecessary for RSA digital signature verification, and can be compiled if needed. -config DIGSIG +config SIGNATURE tristate "In-kernel signature checker" depends on KEYS select MPILIB diff --git a/lib/Makefile b/lib/Makefile index dace162c7e1..d71aae1b01b 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -119,7 +119,7 @@ obj-$(CONFIG_CORDIC) += cordic.o obj-$(CONFIG_DQL) += dynamic_queue_limits.o obj-$(CONFIG_MPILIB) += mpi/ -obj-$(CONFIG_DIGSIG) += digsig.o +obj-$(CONFIG_SIGNATURE) += digsig.o hostprogs-y := gen_crc32table clean-files := crc32table.h diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index d384ea92148..ff60bf72881 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -7,7 +7,7 @@ config INTEGRITY_DIGSIG boolean "Digital signature verification using multiple keyrings" depends on INTEGRITY && KEYS default n - select DIGSIG + select SIGNATURE help This option enables digital signature verification support using multiple keyrings. It defines separate keyrings for each -- cgit v1.2.3 From f1be242c95257b199d8b679bc952ca33487c9af6 Mon Sep 17 00:00:00 2001 From: Dmitry Kasatkin Date: Tue, 17 Jan 2012 17:12:07 +0200 Subject: integrity: digital signature config option name change Similar to SIGNATURE, rename INTEGRITY_DIGSIG to INTEGRITY_SIGNATURE. Signed-off-by: Dmitry Kasatkin Signed-off-by: James Morris --- security/integrity/Kconfig | 2 +- security/integrity/Makefile | 2 +- security/integrity/integrity.h | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) (limited to 'security') diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index ff60bf72881..5bd1cc1b4a5 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -3,7 +3,7 @@ config INTEGRITY def_bool y depends on IMA || EVM -config INTEGRITY_DIGSIG +config INTEGRITY_SIGNATURE boolean "Digital signature verification using multiple keyrings" depends on INTEGRITY && KEYS default n diff --git a/security/integrity/Makefile b/security/integrity/Makefile index bece0563ee5..d43799cc14f 100644 --- a/security/integrity/Makefile +++ b/security/integrity/Makefile @@ -3,7 +3,7 @@ # obj-$(CONFIG_INTEGRITY) += integrity.o -obj-$(CONFIG_INTEGRITY_DIGSIG) += digsig.o +obj-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o integrity-y := iint.o diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 4da6ba81d15..7a25ecec5aa 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -51,7 +51,7 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode); #define INTEGRITY_KEYRING_IMA 2 #define INTEGRITY_KEYRING_MAX 3 -#ifdef CONFIG_INTEGRITY_DIGSIG +#ifdef CONFIG_INTEGRITY_SIGNATURE int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, const char *digest, int digestlen); @@ -65,7 +65,7 @@ static inline int integrity_digsig_verify(const unsigned int id, return -EOPNOTSUPP; } -#endif /* CONFIG_INTEGRITY_DIGSIG */ +#endif /* CONFIG_INTEGRITY_SIGNATURE */ /* set during initialization */ extern int iint_initialized; -- cgit v1.2.3