forked from pool/s390-tools
Accepting request 777411 from home:markkp:branches:Base:System
- Added s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch (bsc#1163002). - Added s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch (bsc#1163570). - Re-categorized s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch from an IBM patch to a SUSE-maintained patch. (bsc#1162840) - sign the stage3.bin bootloader stage (bsc#1163524) - Added s390-tools-sles15sp1-zdev-Also-include-the-ctc-driver-in-the-initrd.patch (bsc#1160373). - Added s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch (bsc#1162840). - Added s390-tools-sles15sp2-zkey-Fix-listing-of-keys-on-file-systems-reporting-D.patch (bsc#1162996). - Added s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch (bsc#1163003). OBS-URL: https://build.opensuse.org/request/show/777411 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=88
This commit is contained in:
parent
5838e20ccc
commit
9d48c28fee
@ -0,0 +1,54 @@
|
||||
Subject: [PATCH] [BZ 183669] zkey: Fix display of XTS attribute for validate command
|
||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
Description: zkey: Fix display of XTS attribute for validate command
|
||||
Symptom: The 'zkey validate' command shows an invalid value for
|
||||
the XTS attribute.
|
||||
Problem: Due to a use after free of the secure key, the XTS attribute
|
||||
is not determined correctly, and is displayed incorrectly.
|
||||
Function is_xts_key() is called with a secure key that has
|
||||
already been freed and thus most likely returns false.
|
||||
This bug has been introduced with feature SEC1717 "Cipher
|
||||
key support" with commit 298fab68fee8 "zkey: Preparations for
|
||||
introducing a new key type"
|
||||
Solution: Free the secure key only after the last use.
|
||||
Reproduction: Generate an XTS key of type CCA-AESDATA or CCA-AESCIPHER
|
||||
and then run 'zkey validate'.
|
||||
Upstream-ID: f75f4aff8f6e4ae148bde858ee1cb7f1066f5f23
|
||||
Problem-ID: 183669
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
---
|
||||
zkey/keystore.c | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/zkey/keystore.c
|
||||
+++ b/zkey/keystore.c
|
||||
@@ -2516,7 +2516,7 @@ static int _keystore_process_validate(st
|
||||
size_t clear_key_bitsize;
|
||||
size_t secure_key_size;
|
||||
char *apqns = NULL;
|
||||
- u8 *secure_key;
|
||||
+ u8 *secure_key = NULL;
|
||||
int is_old_mk;
|
||||
int rc, valid;
|
||||
u64 mkvp;
|
||||
@@ -2550,8 +2550,7 @@ static int _keystore_process_validate(st
|
||||
|
||||
rc = get_master_key_verification_pattern(secure_key, secure_key_size,
|
||||
&mkvp, keystore->verbose);
|
||||
- free(secure_key);
|
||||
- if (rc)
|
||||
+ if (rc != 0)
|
||||
goto out;
|
||||
|
||||
_keystore_print_record(info->rec, name, properties, 1,
|
||||
@@ -2577,6 +2576,8 @@ static int _keystore_process_validate(st
|
||||
info->num_warnings++;
|
||||
|
||||
out:
|
||||
+ if (secure_key != NULL)
|
||||
+ free(secure_key);
|
||||
if (apqns != NULL)
|
||||
free(apqns);
|
||||
if (apqn_list != NULL)
|
@ -0,0 +1,48 @@
|
||||
Subject: [PATCH] [BZ 183875] zkey: Fix display of clear key size for CCA-AESCIPHER keys
|
||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
Description: zkey: Fix display of clear key size for CCA-AESCIPHER keys
|
||||
Symptom: The 'zkey list' command shows bogus values for the
|
||||
keys 'Clear key size' for keys of type CCA-AESCIPHER.
|
||||
Problem: Secure keys of type CCA-AESCIPHER are variable length,
|
||||
dependent on the effective key size (e.g. 128, 192, or 256
|
||||
bits). However, the key blob stored is padded to a fixed
|
||||
length, so that all key blobs of type CCA-AESCIPHER are
|
||||
the same size, regardless of the effective key bit size.
|
||||
To code to display the clear key bitsize does not correctly
|
||||
handle the padding and may treat a non-XTS key like an XTS
|
||||
key and thus reads past the end of the key blob. This
|
||||
results in bogus values reported as clear key size.
|
||||
This bug has been introduced with feature SEC1717 "Cipher
|
||||
key support" with commit ddde3f354f35 ("zkey: Introduce th
|
||||
CCA-AESCIPHER key type").
|
||||
Solution: Correct the handling of key of type CCA-AESCIPHER.
|
||||
Reproduction: Generate a key of type CCA-AESCIPHER and then run
|
||||
'zkey list'.
|
||||
Upstream-ID: 49cbaba302f002aa7f148631a76fc21a3069bc25
|
||||
Problem-ID: 183875
|
||||
|
||||
Upstream-Description:
|
||||
|
||||
zkey: Fix display of clear key size for CCA-AESCIPHER keys
|
||||
|
||||
Fixes: ddde3f354f35 ("zkey: Introduce the CCA-AESCIPHER key type")
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>
|
||||
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
--- a/zkey/pkey.c
|
||||
+++ b/zkey/pkey.c
|
||||
@@ -1600,9 +1600,9 @@ int get_key_bit_size(const u8 *key, size
|
||||
*bitsize = cipherkey->pl - 384;
|
||||
else
|
||||
*bitsize = 0; /* Unknown */
|
||||
- if (key_size > cipherkey->length) {
|
||||
+ if (key_size == 2 * AESCIPHER_KEY_SIZE) {
|
||||
cipherkey = (struct aescipherkeytoken *)(key +
|
||||
- cipherkey->length);
|
||||
+ AESCIPHER_KEY_SIZE);
|
||||
if (cipherkey->pfv == 0x00) /* V0 payload */
|
||||
*bitsize += cipherkey->pl - 384;
|
||||
}
|
@ -1,3 +1,13 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 18 20:10:50 UTC 2020 - Mark Post <mpost@suse.com>
|
||||
|
||||
- Added s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch
|
||||
(bsc#1163002).
|
||||
- Added s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch
|
||||
(bsc#1163570).
|
||||
- Re-categorized s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
|
||||
from an IBM patch to a SUSE-maintained patch. (bsc#1162840)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 13 13:50:55 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
@ -13,7 +23,7 @@ Sat Feb 8 02:25:58 UTC 2020 - Mark Post <mpost@suse.com>
|
||||
- Added s390-tools-sles15sp2-zkey-Fix-listing-of-keys-on-file-systems-reporting-D.patch
|
||||
(bsc#1162996).
|
||||
- Added s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch
|
||||
(bsc#1163002).
|
||||
(bsc#1163003).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 11 15:30:19 UTC 2019 - Mark Post <mpost@suse.com>
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package s390-tools
|
||||
#
|
||||
# Copyright (c) 2020 SUSE LLC
|
||||
# Copyright (c) 2009-2020 SUSE LLC, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -124,9 +124,10 @@ Patch34: s390-tools-sles15sp2-34-zkey-Add-convert-command-to-convert-keys
|
||||
Patch35: s390-tools-sles15sp2-35-zkey-Allow-zkey-cryptsetup-setkey-to-set-different-k.patch
|
||||
Patch36: s390-tools-sles15sp2-zcrypt-CEX7S-exploitation-support.patch
|
||||
Patch37: s390-tools-sles15sp2-zcryptstats-Add-support-for-CEX7.patch
|
||||
Patch38: s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
|
||||
Patch39: s390-tools-sles15sp2-zkey-Fix-listing-of-keys-on-file-systems-reporting-D.patch
|
||||
Patch40: s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch
|
||||
Patch38: s390-tools-sles15sp2-zkey-Fix-listing-of-keys-on-file-systems-reporting-D.patch
|
||||
Patch39: s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch
|
||||
Patch40: s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch
|
||||
Patch41: s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch
|
||||
|
||||
# SUSE patches
|
||||
Patch900: s390-tools-sles12-zipl_boot_msg.patch
|
||||
@ -142,6 +143,7 @@ Patch909: 59-dasd.rules-wait_for.patch
|
||||
Patch910: s390-tools-sles12-fdasd-skip-partition-check-and-BLKRRPART-ioctl.patch
|
||||
Patch911: s390-tools-sles15sp2-Close-file-descriptor-when-checking-for-read-only.patch
|
||||
Patch912: s390-tools-sles15sp1-zdev-Also-include-the-ctc-driver-in-the-initrd.patch
|
||||
Patch913: s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
|
||||
|
||||
BuildRequires: dracut
|
||||
BuildRequires: fuse-devel
|
||||
|
Loading…
Reference in New Issue
Block a user