Wind River Support Network

HomeDefectsLIN9-6890
Fixed

LIN9-6890 : PKCS#7 certificate chain verification and certificate blacklisting are broken.

Created: May 22, 2018    Updated: Dec 3, 2018
Resolved Date: Jun 13, 2018
Found In Version: 9.0.0.15
Fix Version: 9.0.0.17
Severity: Severe
Applicable for: Wind River Linux 9
Component/s: Kernel

Description

We are getting a kernel panic due to a known bug https://lkml.org/lkml/2017/11/22/499 

The patch that resolves the panic could be found in the following url: https://patchwork.kernel.org/patch/10243525/ .

Patch comments:
commit 437499eea4291ae9621e8763a41df027c110a1ef upstream.

The X.509 parser mishandles the case where the certificate's signature's
hash algorithm is not available in the crypto API.  In this case,
x509_get_sig_params() doesn't allocate the cert->sig->digest buffer;
this part seems to be intentional.  However,
public_key_verify_signature() is still called via
x509_check_for_self_signed(), which triggers the 'BUG_ON(!sig->digest)'.

Fix this by making public_key_verify_signature() return -ENOPKG if the
hash buffer has not been allocated.

Reproducer when all the CONFIG_CRYPTO_SHA512* options are disabled:

    openssl req -new -sha512 -x509 -batch -nodes -outform der \
        | keyctl padd asymmetric desc @s

Steps to Reproduce

$ git clone --branch WRLINUX_9_LTS_CVE_RCPL0015 /volume/vendor-tools/final/v9.0.0.15/wrlinux-9
$ ./wrlinux-9/setup.sh --accept-eula yes --dl-layers --machines intel-x86-64 --templates feature/initramfs
$ . ./environment-setup-x86_64-wrlinuxsdk-linux
$ . ./oe-init-build-env build

Add kernel config for signing kernel modules in local layer. 
$ cat layers/local/recipes-kernel/linux/linux-windriver_4.8.bbappend
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
SRC_URI += “file://config_baseline.cfg”
$ cat layers/local/recipes-kernel/linux/linux-windriver/config_baseline.cfg
CONFIG_MODULE=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULE_SIG_SHA1=y
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_MODULE_SIG_HASH="sha1"

Create image:
$ bitbake wrlinux-image-glibc-small

Run Qemu
$ tmp/sysroots/x86_64-linux/usr/bin/qemu-system-x86_64 -kernel tmp/deploy/images/intel-x86-64/bzImage-intel-x86-64.bin -append "console=ttyS0,115200 root=/dev/ram0 loglevel=8" -initrd tmp/deploy/images/intel-x86-64/wrlinux-image-initramfs-intel-x86-64.cpio.gz -nographic -k en-us -cpu Nehalem 

Notice “Loading compiled-in X.509 certificates” just before core dump.

Other Downloads


Live chat
Online