MODSIGN: Make shash allocation failure fatal
This commit is contained in:
parent
d220ad4bb0
commit
2c62d20848
|
@ -1094,6 +1094,7 @@ linux (4.19.37-1) UNRELEASED; urgency=medium
|
||||||
(CVE-2018-12929, CVE-2018-12930, CVE-2018-12931)
|
(CVE-2018-12929, CVE-2018-12930, CVE-2018-12931)
|
||||||
* [x86] platform: Enable INTEL_ATOMISP2_PM as module
|
* [x86] platform: Enable INTEL_ATOMISP2_PM as module
|
||||||
* drivers/firmware/google: Adjust configuration for 4.19
|
* drivers/firmware/google: Adjust configuration for 4.19
|
||||||
|
* MODSIGN: Make shash allocation failure fatal
|
||||||
|
|
||||||
[ YunQiang Su ]
|
[ YunQiang Su ]
|
||||||
* [mips*r6] Re-enable CONFIG_JUMP_LABEL, which has been fixed in upstream.
|
* [mips*r6] Re-enable CONFIG_JUMP_LABEL, which has been fixed in upstream.
|
||||||
|
|
28
debian/patches/features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch
vendored
Normal file
28
debian/patches/features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch
vendored
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
From: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
Date: Sun, 05 May 2019 13:45:06 +0100
|
||||||
|
Subject: MODSIGN: Make shash allocation failure fatal
|
||||||
|
|
||||||
|
mod_is_hash_blacklisted() currently returns 0 (suceess) if
|
||||||
|
crypto_alloc_shash() fails. This should instead be a fatal error,
|
||||||
|
so unwrap and pass up the error code.
|
||||||
|
|
||||||
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
---
|
||||||
|
--- a/kernel/module_signing.c
|
||||||
|
+++ b/kernel/module_signing.c
|
||||||
|
@@ -51,11 +51,13 @@ static int mod_is_hash_blacklisted(const
|
||||||
|
struct shash_desc *desc;
|
||||||
|
size_t digest_size, desc_size;
|
||||||
|
u8 *digest;
|
||||||
|
- int ret = 0;
|
||||||
|
+ int ret;
|
||||||
|
|
||||||
|
tfm = crypto_alloc_shash("sha256", 0, 0);
|
||||||
|
- if (IS_ERR(tfm))
|
||||||
|
+ if (IS_ERR(tfm)) {
|
||||||
|
+ ret = PTR_ERR(tfm);
|
||||||
|
goto error_return;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
|
||||||
|
digest_size = crypto_shash_digestsize(tfm);
|
|
@ -155,6 +155,7 @@ features/all/db-mok-keyring/0001-MODSIGN-do-not-load-mok-when-secure-boot-disabl
|
||||||
features/all/db-mok-keyring/0002-MODSIGN-load-blacklist-from-MOKx.patch
|
features/all/db-mok-keyring/0002-MODSIGN-load-blacklist-from-MOKx.patch
|
||||||
features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch
|
features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch
|
||||||
features/all/db-mok-keyring/0004-MODSIGN-check-the-attributes-of-db-and-mok.patch
|
features/all/db-mok-keyring/0004-MODSIGN-check-the-attributes-of-db-and-mok.patch
|
||||||
|
features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch
|
||||||
|
|
||||||
# Security fixes
|
# Security fixes
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
|
|
Loading…
Reference in New Issue