On Sat, 2022-06-18 at 16:21 +0200, Ben Hutchings wrote: > On Thu, 2022-06-16 at 01:28 +0200, Ben Hutchings wrote: > [...] > > > linux-image-4.19.0-17-amd64 4.19.194-1 > > lib/modules/4.19.0-17-amd64/kernel/drivers/dma/dw/dw_dmac_core.ko > > linux-image-4.19.0-17-amd64 4.19.194-2 > > lib/modules/4.19.0-17-amd64/kernel/drivers/dma/dw/dw_dmac_core.ko > > linux-image-4.19.0-17-amd64 4.19.194-3 > > lib/modules/4.19.0-17-amd64/kernel/drivers/dma/dw/dw_dmac_core.ko > [...] > > A significant pattern visible here is a short signature for the same > > module in multiple consecutive versions, where the module may have > > identical contents. That implies that this is a reproducible issue for > > certain inputs that cannot be worked around by re-running the signing > > process. > > > > However, I have *not* yet verified that all short signatures really are > > invalid. > > These module files are indeed identical, and their signatures are > rejected by the kernel. > > I'm now looking at whether the missing bytes are recoverable (e.g. are > they always zeroes). [...]
I wrote a script to try all possible byte values for 2 bytes before or
after the short signature. For this particular file, none of them
producd a valid signature. So the short signatures seem to be
corrupted in a more complex way.
In the mean time, we have another security update coming which might
not hit this bug again. But there are 28,679 signed binaries across
the three architectures, so the probability is only about 65%.
Ben.
--
Ben Hutchings
The most exhausting thing in life is being insincere.
- Anne Morrow Lindberg
signature.asc
Description: This is a digitally signed message part
