Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp345853pxb; Thu, 14 Jan 2021 07:21:36 -0800 (PST) X-Google-Smtp-Source: ABdhPJzfv5t8u5YX34XEIN+nikm+khktV4yzL04jJcXuJEusqh7zErCI44Qfz0RH7VcU2z/ZOUgW X-Received: by 2002:a17:906:9250:: with SMTP id c16mr5702417ejx.355.1610637696509; Thu, 14 Jan 2021 07:21:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610637696; cv=none; d=google.com; s=arc-20160816; b=0SqlsIcDyQfaX+xbtiieCBuTFfUAOeV15iJUaY3AHtgghB5RXEc2AqWVIlaYCrPm63 vpNSi1H17FmhUYG4RD4Xgt7JWRScGU4bkFSAQ5XqUKTJYIYI5Nc1UGLJehpsKrfs0DhP YlmFTptq64dMGkYRjgxM/iFzV/bNTexoatwgIGsmMOJPn4IdZ6IL5ptwDqNgCIJ0YjCt cK3e87b3X7ufCOhscWtZtg+p/um2Q9XoaET9XEBRSuXnIEYp0TbhmqH5msxXQeR03xmY uDfWtKTJkA50ifSdBdy9k9bnwI24UwXeFRXThnLY4sImEcehGyUlkHJxjnok2k+lldMq 3lXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=97dv9ALTVG2EcFOynLze2voBfWpmnsUWwH8Vl+r4+pY=; b=VgnXuUXGy6S32WXQ/9jAEfPXJLehFjApPzBvm/M2vDCJOD9FGxeya9moBUdV2oO9kR dDvUieWyhtj8cPxXqc/cjaYwtaPEKjPSIJr++T/A7XTqssI+O95rJbwebBhaAg37nYHI RVkLcGQ0UwaUvBIh/Uo+7mQRJ7bHA+6Ny1aNpzBYY7S8D19+FFSjH4SxyHqohLJBHBE9 l41R31LaaswQcPk8slwnip+gTBIy5tEJXgB1RHxt2Atsnlz+ylD9otPt28N9WJFY4LL8 Pnrh69gOrxobkBZfJfgAI8/nHsOjV6xr4+ItzQbnK4qLIIrkTlnw7ZVFEAczwXkfzlfQ lDKg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g16si2706313edq.329.2021.01.14.07.21.17; Thu, 14 Jan 2021 07:21:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729261AbhANPU2 (ORCPT + 99 others); Thu, 14 Jan 2021 10:20:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47534 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729324AbhANPTx (ORCPT ); Thu, 14 Jan 2021 10:19:53 -0500 Received: from smtp-8fa8.mail.infomaniak.ch (smtp-8fa8.mail.infomaniak.ch [IPv6:2001:1600:4:17::8fa8]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7DC1BC061575 for ; Thu, 14 Jan 2021 07:19:08 -0800 (PST) Received: from smtp-3-0000.mail.infomaniak.ch (unknown [10.4.36.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4DGnyy5dGwzMq5Vl; Thu, 14 Jan 2021 16:19:06 +0100 (CET) Received: from localhost (unknown [23.97.221.149]) by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4DGnyy3VPxzlh8T3; Thu, 14 Jan 2021 16:19:06 +0100 (CET) From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: David Howells , David Woodhouse , Jarkko Sakkinen Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , "David S . Miller" , Herbert Xu , James Morris , =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Mimi Zohar , "Serge E . Hallyn" , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Ben Boeckel Subject: [PATCH v3 02/10] certs: Fix blacklisted hexadecimal hash string check Date: Thu, 14 Jan 2021 16:19:01 +0100 Message-Id: <20210114151909.2344974-3-mic@digikod.net> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210114151909.2344974-1-mic@digikod.net> References: <20210114151909.2344974-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From: Mickaël Salaün When looking for a blacklisted hash, bin2hex() is used to transform a binary hash to an ascii (lowercase) hexadecimal string. This string is then search for in the description of the keys from the blacklist keyring. When adding a key to the blacklist keyring, blacklist_vet_description() checks the hash prefix and the hexadecimal string, but not that this string is lowercase. It is then valid to set hashes with uppercase hexadecimal, which will be silently ignored by the kernel. Add an additional check to blacklist_vet_description() to check that hexadecimal strings are in lowercase. Cc: David Woodhouse Signed-off-by: Mickaël Salaün Signed-off-by: David Howells Reviewed-by: Ben Boeckel --- Changes since v2: * Cherry-pick v1 patch from https://lore.kernel.org/lkml/2659836.1607940186@warthog.procyon.org.uk/ to rebase on v5.11-rc3. * Rearrange Cc order. --- certs/blacklist.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certs/blacklist.c b/certs/blacklist.c index 2719fb2fbc1c..a888b934a1cd 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -37,7 +37,7 @@ static int blacklist_vet_description(const char *desc) found_colon: desc++; for (; *desc; desc++) { - if (!isxdigit(*desc)) + if (!isxdigit(*desc) || isupper(*desc)) return -EINVAL; n++; } -- 2.30.0