diff --git a/patches.kernel.org/6.2.12-091-verify_pefile-relax-wrapper-length-check.patch b/patches.kernel.org/6.2.12-091-verify_pefile-relax-wrapper-length-check.patch new file mode 100644 index 0000000..6038e0c --- /dev/null +++ b/patches.kernel.org/6.2.12-091-verify_pefile-relax-wrapper-length-check.patch @@ -0,0 +1,62 @@ +From: Robbie Harwood +Date: Mon, 20 Feb 2023 12:12:53 -0500 +Subject: [PATCH] verify_pefile: relax wrapper length check +References: bsc#1012628 +Patch-mainline: 6.2.12 +Git-commit: 4fc5c74dde69a7eda172514aaeb5a7df3600adb3 + +[ Upstream commit 4fc5c74dde69a7eda172514aaeb5a7df3600adb3 ] + +The PE Format Specification (section "The Attribute Certificate Table +(Image Only)") states that `dwLength` is to be rounded up to 8-byte +alignment when used for traversal. Therefore, the field is not required +to be an 8-byte multiple in the first place. + +Accordingly, pesign has not performed this alignment since version +0.110. This causes kexec failure on pesign'd binaries with "PEFILE: +Signature wrapper len wrong". Update the comment and relax the check. + +Signed-off-by: Robbie Harwood +Signed-off-by: David Howells +cc: Jarkko Sakkinen +cc: Eric Biederman +cc: Herbert Xu +cc: keyrings@vger.kernel.org +cc: linux-crypto@vger.kernel.org +cc: kexec@lists.infradead.org +Link: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-attribute-certificate-table-image-only +Link: https://github.com/rhboot/pesign +Link: https://lore.kernel.org/r/20230220171254.592347-2-rharwood@redhat.com/ # v2 +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + crypto/asymmetric_keys/verify_pefile.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c +index 7553ab18..fe1bb374 100644 +--- a/crypto/asymmetric_keys/verify_pefile.c ++++ b/crypto/asymmetric_keys/verify_pefile.c +@@ -135,11 +135,15 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + pr_debug("sig wrapper = { %x, %x, %x }\n", + wrapper.length, wrapper.revision, wrapper.cert_type); + +- /* Both pesign and sbsign round up the length of certificate table +- * (in optional header data directories) to 8 byte alignment. ++ /* sbsign rounds up the length of certificate table (in optional ++ * header data directories) to 8 byte alignment. However, the PE ++ * specification states that while entries are 8-byte aligned, this is ++ * not included in their length, and as a result, pesign has not ++ * rounded up since 0.110. + */ +- if (round_up(wrapper.length, 8) != ctx->sig_len) { +- pr_debug("Signature wrapper len wrong\n"); ++ if (wrapper.length > ctx->sig_len) { ++ pr_debug("Signature wrapper bigger than sig len (%x > %x)\n", ++ ctx->sig_len, wrapper.length); + return -ELIBBAD; + } + if (wrapper.revision != WIN_CERT_REVISION_2_0) { +-- +2.35.3 + diff --git a/series.conf b/series.conf index 35c0ef3..152be86 100644 --- a/series.conf +++ b/series.conf @@ -2318,6 +2318,7 @@ patches.kernel.org/6.2.12-088-drm-panel-orientation-quirks-Add-quirk-for-Len.patch patches.kernel.org/6.2.12-089-hwmon-peci-cputemp-Fix-miscalculated-DTS-for-S.patch patches.kernel.org/6.2.12-090-hwmon-xgene-Fix-ioremap-and-memremap-leak.patch + patches.kernel.org/6.2.12-091-verify_pefile-relax-wrapper-length-check.patch ######################################################## # Build fixes that apply to the vanilla kernel too.