From: Linus Torvalds Date: Thu, 21 Feb 2013 16:18:12 +0000 (-0800) Subject: Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux... X-Git-Tag: firefly_0821_release~3680^2~1090 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=33673dcb372b5d8179c22127ca71deb5f3dc7016;p=firefly-linux-kernel-4.4.55.git Merge branch 'next' of git://git./linux/kernel/git/jmorris/linux-security Pull security subsystem updates from James Morris: "This is basically a maintenance update for the TPM driver and EVM/IMA" Fix up conflicts in lib/digsig.c and security/integrity/ima/ima_main.c * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (45 commits) tpm/ibmvtpm: build only when IBM pseries is configured ima: digital signature verification using asymmetric keys ima: rename hash calculation functions ima: use new crypto_shash API instead of old crypto_hash ima: add policy support for file system uuid evm: add file system uuid to EVM hmac tpm_tis: check pnp_acpi_device return code char/tpm/tpm_i2c_stm_st33: drop temporary variable for return value char/tpm/tpm_i2c_stm_st33: remove dead assignment in tpm_st33_i2c_probe char/tpm/tpm_i2c_stm_st33: Remove __devexit attribute char/tpm/tpm_i2c_stm_st33: Don't use memcpy for one byte assignment tpm_i2c_stm_st33: removed unused variables/code TPM: Wait for TPM_ACCESS tpmRegValidSts to go high at startup tpm: Fix cancellation of TPM commands (interrupt mode) tpm: Fix cancellation of TPM commands (polling mode) tpm: Store TPM vendor ID TPM: Work around buggy TPMs that block during continue self test tpm_i2c_stm_st33: fix oops when i2c client is unavailable char/tpm: Use struct dev_pm_ops for power management TPM: STMicroelectronics ST33 I2C BUILD STUFF ... --- 33673dcb372b5d8179c22127ca71deb5f3dc7016 diff --cc lib/digsig.c index dc2be7ed1765,0103c5b9b802..2f31e6a45f0a --- a/lib/digsig.c +++ b/lib/digsig.c @@@ -162,13 -152,9 +152,11 @@@ static int digsig_verify_rsa(struct ke memset(out1, 0, head); memcpy(out1 + head, p, l); + kfree(p); + - err = pkcs_1_v1_5_decode_emsa(out1, len, mblen, out2, &len); - if (err) - goto err; + m = pkcs_1_v1_5_decode_emsa(out1, len, mblen, &len); - if (len != hlen || memcmp(out2, h, hlen)) + if (!m || len != hlen || memcmp(m, h, hlen)) err = -EINVAL; err: diff --cc security/integrity/ima/ima.h index 079a85dc37b2,6e69697fd530..a41c9c18e5e0 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@@ -139,10 -141,9 +141,10 @@@ void ima_delete_rules(void) /* Appraise integrity measurements */ #define IMA_APPRAISE_ENFORCE 0x01 #define IMA_APPRAISE_FIX 0x02 +#define IMA_APPRAISE_MODULES 0x04 #ifdef CONFIG_IMA_APPRAISE - int ima_appraise_measurement(struct integrity_iint_cache *iint, + int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, struct file *file, const unsigned char *filename); int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func); void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file); diff --cc security/integrity/ima/ima_main.c index dba965de90d3,3e751a9743a1..5127afcc4b89 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@@ -291,18 -282,10 +282,15 @@@ EXPORT_SYMBOL_GPL(ima_file_check) */ int ima_module_check(struct file *file) { - int rc = 0; - - if (!file) - return -EACCES; /* INTEGRITY_UNKNOWN */ + if (!file) { - if (ima_appraise & IMA_APPRAISE_MODULES) { +#ifndef CONFIG_MODULE_SIG_FORCE - rc = -EACCES; /* INTEGRITY_UNKNOWN */ ++ if (ima_appraise & IMA_APPRAISE_MODULES) ++ return -EACCES; /* INTEGRITY_UNKNOWN */ +#endif - } - } else - rc = process_measurement(file, file->f_dentry->d_name.name, - MAY_EXEC, MODULE_CHECK); - return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0; ++ return 0; /* We rely on module signature checking */ ++ } + return process_measurement(file, file->f_dentry->d_name.name, + MAY_EXEC, MODULE_CHECK); } static int __init init_ima(void)