tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull key handling fixes from James Morris:
"Quoting David Howells:

Here are three miscellaneous fixes:

(1) Fix a panic in some debugging code in PKCS#7. This can only
happen by explicitly inserting a #define DEBUG into the code.

(2) Fix the calculation of the digest length in the PE file parser.
This causes a failure where there should be a success.

(3) Fix the case where an X.509 cert can be added as an asymmetric key
to a trusted keyring with no trust restriction if no AKID is
supplied.

Bugs (1) and (2) aren't particularly problematic, but (3) allows a
security check to be bypassed. Happily, this is a recent regression
and never made it into a released kernel"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
KEYS: Fix for erroneous trust of incorrectly signed X.509 certs
pefile: Fix the failure of calculation for digest
PKCS#7: Fix panic when referring to the empty AKID when DEBUG defined

Linus Torvalds 897473fc 3aa536d9

+8 -3
+6 -1
crypto/asymmetric_keys/mscode_parser.c
··· 124 124 struct pefile_context *ctx = context; 125 125 126 126 ctx->digest = kmemdup(value, vlen, GFP_KERNEL); 127 - return ctx->digest ? 0 : -ENOMEM; 127 + if (!ctx->digest) 128 + return -ENOMEM; 129 + 130 + ctx->digest_len = vlen; 131 + 132 + return 0; 128 133 }
+1 -1
crypto/asymmetric_keys/pkcs7_verify.c
··· 227 227 if (asymmetric_key_id_same(p->id, auth)) 228 228 goto found_issuer_check_skid; 229 229 } 230 - } else { 230 + } else if (sig->auth_ids[1]) { 231 231 auth = sig->auth_ids[1]; 232 232 pr_debug("- want %*phN\n", auth->len, auth->data); 233 233 for (p = pkcs7->certs; p; p = p->next) {
+1 -1
crypto/asymmetric_keys/restrict.c
··· 87 87 88 88 sig = payload->data[asym_auth]; 89 89 if (!sig->auth_ids[0] && !sig->auth_ids[1]) 90 - return 0; 90 + return -ENOKEY; 91 91 92 92 if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid)) 93 93 return -EPERM;