.Keylime policy generation script no longer causes a segmentation fault and core dump
The `create_mb_refstate` script generates policies for measured boot attestation in Keylime. Previously, `create_mb_refstate` incorrectly calculated the data length in the `DevicePath` field. As a consequence, the script tried to access invalid memory using the incorrectly calculated length, which resulted in a segmentation fault and core dump.
This update, which has been published in advisory link:https://errata.devel.redhat.com/advisory/105318[RHBA-2022:105318-02], prevents the segmentation fault when processing the measured boot event log. As a consequence, you can generate a measured boot policy.
DescriptionAnderson Sasaki
2022-11-07 15:18:22 UTC
Created attachment 1922775[details]
base64 encoded binary measured boot log
Description of problem:
Running /usr/share/keylime/create_mb_refstate script with some inputs (e.g. the input provided as an attachment) causes a segmentation fault and core dump.
Version-Release number of selected component (if applicable):
keylime-6.5.1-1.el9_1.x86_64
How reproducible:
Deterministic
Steps to Reproduce:
1. Download the attachment mb_log.b64
2. Decode to a binary file:
$ base 64 -d mb_log.b64 > mb_log.bin
3. Provide the decoded binary as input (may require privileges to access configuration files)
# /usr/share/keylime/create_mb_refstate mb_log.bin mb_refstate.json
Actual results:
Segmentation fault (core dumped)
Expected results:
The scripts execute normally and the output file mb_refstate.json is created
Additional info:
Initially reported upstream as https://github.com/keylime/keylime/issues/1153
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (keylime bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:2307