[kernel] Fix occasional EBADMSG from signed modules. (rhbz 804345)
Dave Jones
davej at fedoraproject.org
Thu Mar 22 21:28:36 UTC 2012
commit 6d70ea92cc6ae9ba05d71b6018b0de08e393d6ff
Author: Dave Jones <davej at redhat.com>
Date: Thu Mar 22 17:28:30 2012 -0400
Fix occasional EBADMSG from signed modules. (rhbz 804345)
kernel.spec | 3 +++
modsign-20111207.patch | 31 +++++++++++++++++++++++++++++++
2 files changed, 34 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index cc18c90..68611e8 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -2336,6 +2336,9 @@ fi
# ||----w |
# || ||
%changelog
+* Thu Mar 22 2012 Dave Jones <davej at redhat.com>
+- Fix occasional EBADMSG from signed modules. (rhbz 804345)
+
* Thu Mar 22 2012 Dave Jones <davej at redhat.com> 3.4.0-0.rc0.git1.2
- Fix dentry hash collisions that prevented boot with selinux enabled (rhbz 805371)
diff --git a/modsign-20111207.patch b/modsign-20111207.patch
index 8e43422..5eee17a 100644
--- a/modsign-20111207.patch
+++ b/modsign-20111207.patch
@@ -7359,3 +7359,34 @@ index 5e77c2a..e40f9b68 100644
--
1.7.9.1
+diff --git a/security/keys/crypto_rsa.c b/security/keys/crypto_rsa.c
+--- a/security/keys/crypto_rsa.c
+--- b/security/keys/crypto_rsa.c
+@@ -219,15 +219,24 @@
+ kenter("");
+
+ /* (1) Check the signature size against the public key modulus size */
+- k = (mpi_get_nbits(key->rsa.n) + 7) / 8;
++ k = mpi_get_nbits(key->rsa.n);
++ tsize = mpi_get_nbits(sig->rsa.s);
+
+- tsize = (mpi_get_nbits(sig->rsa.s) + 7) / 8;
++ /* According to RFC 4880 sec 3.2, length of MPI is computed starting
++ * from most significant bit.
++ * So the RFC 3447 sec 8.2.2 size check must be relaxed to conform
++ * with shorter signatures.
++ * Fail here only if signature length is longer than modulus size.
++ */
+ pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize);
+- if (tsize != k) {
++ if (k < tsize) {
+ ret = -EBADMSG;
+ goto error;
+ }
+
++ /* Round up to octets */
++ k = (k + 7) / 8;
++
+ /* (2b) Apply the RSAVP1 verification primitive to the public key */
+ ret = RSAVP1(key, sig->rsa.s, &m);
+ if (ret < 0)
More information about the scm-commits
mailing list