diff options
author | Jeremy Cline <jcline@redhat.com> | 2018-06-13 09:38:05 -0400 |
---|---|---|
committer | Jeremy Cline <jcline@redhat.com> | 2018-06-13 09:56:46 -0400 |
commit | ba770669e4daa4fb81a26fd93e3cac2f1dc1a11b (patch) | |
tree | 17bba2684540abbd6a7c4324384dfb9ba1034779 | |
parent | 5240d6a537735738b78ea49ed32fe0f163fd9cfc (diff) | |
download | kernel-ba770669e4daa4fb81a26fd93e3cac2f1dc1a11b.tar.gz kernel-ba770669e4daa4fb81a26fd93e3cac2f1dc1a11b.tar.xz kernel-ba770669e4daa4fb81a26fd93e3cac2f1dc1a11b.zip |
Fix kexec_file_load pefile signature verification (rhbz 1470995)
-rw-r--r-- | kernel.spec | 4 | ||||
-rw-r--r-- | kexec-bzimage-verify-pe-signature-fix.patch | 34 |
2 files changed, 38 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index 899ab2476..c0faa5435 100644 --- a/kernel.spec +++ b/kernel.spec @@ -646,6 +646,9 @@ Patch501: Fix-for-module-sig-verification.patch # rhbz 1431375 Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch +# rhbz 1470995 +Patch503: kexec-bzimage-verify-pe-signature-fix.patch + # In v4.17 # rhbz 1549316 Patch504: ipmi-fixes.patch @@ -1938,6 +1941,7 @@ fi %changelog * Tue Jun 12 2018 Jeremy Cline <jeremy@jcline.org> - Fix a crash in ath10k when bandwidth changes (rhbz 1577106) +- Fix kexec_file_load pefile signature verification (rhbz 1470995) * Tue Jun 12 2018 Justin M. Forbes <jforbes@fedoraproject.org> - Fix CVE-2018-12232 (rhbz 1590215 1590216) diff --git a/kexec-bzimage-verify-pe-signature-fix.patch b/kexec-bzimage-verify-pe-signature-fix.patch new file mode 100644 index 000000000..6c8a51b95 --- /dev/null +++ b/kexec-bzimage-verify-pe-signature-fix.patch @@ -0,0 +1,34 @@ +From: Dave Young <dyoung@redhat.com> + +Fix kexec_file_load pefile signature verification + +Similar with Fix-for-module-sig-verification.patch, kexec_file syscall also +need pass 1UL to verify_pefile_signature so that secondary keys can be used. + +Fedora bug +https://bugzilla.redhat.com/show_bug.cgi?id=1470995 + +Latest upstream effort is below: +https://www.spinics.net/lists/kernel/msg2825184.html + +Ideally this need an upstream fix, but since nobody response we can workaround +it like the module code did. + +Signed-off-by: Dave Young <dyoung@redhat.com> +--- + arch/x86/kernel/kexec-bzimage64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-x86.orig/arch/x86/kernel/kexec-bzimage64.c ++++ linux-x86/arch/x86/kernel/kexec-bzimage64.c +@@ -533,7 +533,7 @@ static int bzImage64_cleanup(void *loade + static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) + { + return verify_pefile_signature(kernel, kernel_len, +- NULL, ++ (void *)1UL, + VERIFYING_KEXEC_PE_SIGNATURE); + } + #endif +-- +2.17.0 |