Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755323AbcCWOA3 (ORCPT ); Wed, 23 Mar 2016 10:00:29 -0400 Received: from mail-wm0-f45.google.com ([74.125.82.45]:37925 "EHLO mail-wm0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754534AbcCWOA1 (ORCPT ); Wed, 23 Mar 2016 10:00:27 -0400 From: Nicolai Stange To: Herbert Xu Cc: Nicolai Stange , "David S. Miller" , David Howells , Tadeusz Struk , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] PKCS#7: pkcs7_validate_trust(): initialize the _trusted output argument References: <1458512626-2839-1-git-send-email-nicstange@gmail.com> <20160323125912.GA29481@gondor.apana.org.au> Date: Wed, 23 Mar 2016 15:00:24 +0100 In-Reply-To: <20160323125912.GA29481@gondor.apana.org.au> (Herbert Xu's message of "Wed, 23 Mar 2016 20:59:12 +0800") Message-ID: <87zitpl2fb.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.92 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1948 Lines: 45 Herbert Xu writes: > On Sun, Mar 20, 2016 at 11:23:46PM +0100, Nicolai Stange wrote: >> Despite what the DocBook comment to pkcs7_validate_trust() says, the >> *_trusted argument is never set to false. >> >> pkcs7_validate_trust() only positively sets *_trusted upon encountering >> a trusted PKCS#7 SignedInfo block. >> >> This is quite unfortunate since its callers, system_verify_data() for >> example, depend on pkcs7_validate_trust() clearing *_trusted on non-trust. >> >> Indeed, UBSAN splats when attempting to load the uninitialized local >> variable 'trusted' from system_verify_data() in pkcs7_validate_trust(): >> >> UBSAN: Undefined behaviour in crypto/asymmetric_keys/pkcs7_trust.c:194:14 >> load of value 82 is not a valid value for type '_Bool' >> [...] >> Call Trace: >> [] dump_stack+0xbc/0x117 >> [] ? _atomic_dec_and_lock+0x169/0x169 >> [] ubsan_epilogue+0xd/0x4e >> [] __ubsan_handle_load_invalid_value+0x111/0x158 >> [] ? val_to_string.constprop.12+0xcf/0xcf >> [] ? x509_request_asymmetric_key+0x114/0x370 >> [] ? kfree+0x220/0x370 >> [] ? public_key_verify_signature_2+0x32/0x50 >> [] pkcs7_validate_trust+0x524/0x5f0 >> [] system_verify_data+0xca/0x170 >> [] ? top_trace_array+0x9b/0x9b >> [] ? __vfs_read+0x279/0x3d0 >> [] mod_verify_sig+0x1ff/0x290 >> [...] >> >> The implication is that pkcs7_validate_trust() effectively grants trust >> when it really shouldn't have. >> >> Fix this by explicitly setting *_trusted to false at the very beginning >> of pkcs7_validate_trust(). >> >> Signed-off-by: Nicolai Stange > > Patch applied. Thanks! Thank you very much!