Hi Sasha, Thanks! The first two patches listed below aren't "necessary", but with them the rest of the bug fixes apply cleanly.
# ima: skip measurement of cgroupfs files and update documentation git cherry-pick 6438de9 -x # ima: cleanup ima_init_policy() a little git cherry-pick 5577857 -x # ima: do not measure or appraise the NSFS filesystem (back to and including 3.19) git cherry-pick cd025f7 -x # evm: labeling pseudo filesystems exception (back to and including 3.17, 3.14) git cherry-pick 5101a18 -x # KEYS: fix "ca_keys=" partial key matching (back to and including 3.18) git cherry-pick f2b3dee -x # ima: fix ima_show_template_data_ascii() (back to and including 3.13) git cherry-pick 45b2613 -x # ima: add support for new "euid" policy condition git cherry-pick 139069e -x # ima: extend "mask" policy matching support git cherry-pick 4351c29 -x # ima: update builtin policies git cherry-pick 24fd03c -x Thanks, Mimi On Fri, 2015-07-03 at 23:01 -0400, Sasha Levin wrote: > From: Mimi Zohar <[email protected]> > > This patch has been added to the 3.18 stable tree. If you have any > objections, please let us know. > > =============== > > [ Upstream commit f2b3dee484f9cee967a54ef05a66866282337519 ] > > The call to asymmetric_key_hex_to_key_id() from ca_keys_setup() > silently fails with -ENOMEM. Instead of dynamically allocating > memory from a __setup function, this patch defines a variable > and calls __asymmetric_key_hex_to_key_id(), a new helper function, > directly. > > This bug was introduced by 'commit 46963b774d44 ("KEYS: Overhaul > key identification when searching for asymmetric keys")'. > > Changelog: > - for clarification, rename hexlen to asciihexlen in > asymmetric_key_hex_to_key_id() > - add size argument to __asymmetric_key_hex_to_key_id() - David Howells > - inline __asymmetric_key_hex_to_key_id() - David Howells > - remove duplicate strlen() calls > > Acked-by: David Howells <[email protected]> > Signed-off-by: Mimi Zohar <[email protected]> > Cc: [email protected] # 3.18 > Signed-off-by: Sasha Levin <[email protected]> > --- > crypto/asymmetric_keys/asymmetric_keys.h | 3 +++ > crypto/asymmetric_keys/asymmetric_type.c | 20 ++++++++++++++------ > crypto/asymmetric_keys/x509_public_key.c | 23 ++++++++++++++++++----- > 3 files changed, 35 insertions(+), 11 deletions(-) > > diff --git a/crypto/asymmetric_keys/asymmetric_keys.h > b/crypto/asymmetric_keys/asymmetric_keys.h > index f973308..3f5b537 100644 > --- a/crypto/asymmetric_keys/asymmetric_keys.h > +++ b/crypto/asymmetric_keys/asymmetric_keys.h > @@ -11,6 +11,9 @@ > > extern struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char > *id); > > +extern int __asymmetric_key_hex_to_key_id(const char *id, > + struct asymmetric_key_id *match_id, > + size_t hexlen); > static inline > const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key) > { > diff --git a/crypto/asymmetric_keys/asymmetric_type.c > b/crypto/asymmetric_keys/asymmetric_type.c > index bcbbbd7..b0e4ed2 100644 > --- a/crypto/asymmetric_keys/asymmetric_type.c > +++ b/crypto/asymmetric_keys/asymmetric_type.c > @@ -104,6 +104,15 @@ static bool asymmetric_match_key_ids( > return false; > } > > +/* helper function can be called directly with pre-allocated memory */ > +inline int __asymmetric_key_hex_to_key_id(const char *id, > + struct asymmetric_key_id *match_id, > + size_t hexlen) > +{ > + match_id->len = hexlen; > + return hex2bin(match_id->data, id, hexlen); > +} > + > /** > * asymmetric_key_hex_to_key_id - Convert a hex string into a key ID. > * @id: The ID as a hex string. > @@ -111,21 +120,20 @@ static bool asymmetric_match_key_ids( > struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id) > { > struct asymmetric_key_id *match_id; > - size_t hexlen; > + size_t asciihexlen; > int ret; > > if (!*id) > return ERR_PTR(-EINVAL); > - hexlen = strlen(id); > - if (hexlen & 1) > + asciihexlen = strlen(id); > + if (asciihexlen & 1) > return ERR_PTR(-EINVAL); > > - match_id = kmalloc(sizeof(struct asymmetric_key_id) + hexlen / 2, > + match_id = kmalloc(sizeof(struct asymmetric_key_id) + asciihexlen / 2, > GFP_KERNEL); > if (!match_id) > return ERR_PTR(-ENOMEM); > - match_id->len = hexlen / 2; > - ret = hex2bin(match_id->data, id, hexlen / 2); > + ret = __asymmetric_key_hex_to_key_id(id, match_id, asciihexlen / 2); > if (ret < 0) { > kfree(match_id); > return ERR_PTR(-EINVAL); > diff --git a/crypto/asymmetric_keys/x509_public_key.c > b/crypto/asymmetric_keys/x509_public_key.c > index a6c4203..24f17e6 100644 > --- a/crypto/asymmetric_keys/x509_public_key.c > +++ b/crypto/asymmetric_keys/x509_public_key.c > @@ -28,17 +28,30 @@ static bool use_builtin_keys; > static struct asymmetric_key_id *ca_keyid; > > #ifndef MODULE > +static struct { > + struct asymmetric_key_id id; > + unsigned char data[10]; > +} cakey; > + > static int __init ca_keys_setup(char *str) > { > if (!str) /* default system keyring */ > return 1; > > if (strncmp(str, "id:", 3) == 0) { > - struct asymmetric_key_id *p; > - p = asymmetric_key_hex_to_key_id(str + 3); > - if (p == ERR_PTR(-EINVAL)) > - pr_err("Unparsable hex string in ca_keys\n"); > - else if (!IS_ERR(p)) > + struct asymmetric_key_id *p = &cakey.id; > + size_t hexlen = (strlen(str) - 3) / 2; > + int ret; > + > + if (hexlen == 0 || hexlen > sizeof(cakey.data)) { > + pr_err("Missing or invalid ca_keys id\n"); > + return 1; > + } > + > + ret = __asymmetric_key_hex_to_key_id(str + 3, p, hexlen); > + if (ret < 0) > + pr_err("Unparsable ca_keys id hex string\n"); > + else > ca_keyid = p; /* owner key 'id:xxxxxx' */ > } else if (strcmp(str, "builtin") == 0) { > use_builtin_keys = true; -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
