On Mon, 2022-06-13 at 18:23 +0200, Ben Hutchings wrote: [...] > I can confirm that this module does not load, and this means it has an > invalid signature. The detached signature present in the source > package seems to be truncated (408 bytes long, where for all other > modules the detached signature is 411 bytes long). > > The amd64 kernel package is also affected, but for a different module > (xt_l2tp). > > Since the truncated signatures are in the source packages, this is a > problem introduced by the code signing service and will need to be > fixed there.
I wrote a script to check for short signatures (and other unexpected things) in detached signature files: https://salsa.debian.org/kernel-team/kernel-team/-/blob/master/scripts/benh/check-sig-params I've now run that over all linux-signed-* packages available on snapshot.debian.org. It found short signatures (in all cases, a raw signature length of 254 bytes rather than 256 bytes) for the following binary packages, versions, and files: linux-image-4.19.0-0.bpo.4-686-pae 4.19.28-2~bpo9+1 lib/modules/4.19.0-0.bpo.4-686-pae/kernel/drivers/usb/storage/ums-realtek.ko linux-image-4.19.0-0.bpo.4-amd64 4.19.28-2~bpo9+1 lib/modules/4.19.0-0.bpo.4-amd64/kernel/drivers/iio/gyro/bmg160_i2c.ko linux-image-4.19.0-0.bpo.4-rt-amd64 4.19.28-2~bpo9+1 lib/modules/4.19.0-0.bpo.4-rt-amd64/kernel/drivers/mtd/chips/map_ram.ko linux-image-4.19.0-0.bpo.5-amd64 4.19.37-4~bpo9+1 lib/modules/4.19.0-0.bpo.5-amd64/kernel/drivers/video/fbdev/via/viafb.ko linux-image-4.19.0-0.bpo.6-686 4.19.67-2+deb10u1~bpo9+1 lib/modules/4.19.0-0.bpo.6-686/kernel/drivers/media/usb/hackrf/hackrf.ko linux-image-4.19.0-4-rt-686-pae 4.19.28-1 lib/modules/4.19.0-4-rt-686-pae/kernel/drivers/media/tuners/fc2580.ko linux-image-4.19.0-4-rt-amd64 4.19.28-1 lib/modules/4.19.0-4-rt-amd64/kernel/drivers/vhost/vringh.ko linux-image-4.19.0-4-rt-amd64 4.19.28-2 lib/modules/4.19.0-4-rt-amd64/kernel/drivers/vhost/vringh.ko linux-image-4.19.0-5-686-pae 4.19.37-2 lib/modules/4.19.0-5-686-pae/kernel/drivers/bluetooth/ath3k.ko linux-image-4.19.0-5-686-pae 4.19.37-3 lib/modules/4.19.0-5-686-pae/kernel/drivers/bluetooth/ath3k.ko linux-image-4.19.0-5-amd64 4.19.37-1 lib/modules/4.19.0-5-amd64/kernel/drivers/net/wireless/ralink/rt2x00/rt2500usb.ko linux-image-4.19.0-5-rt-amd64 4.19.37-5+deb10u2 lib/modules/4.19.0-5-rt-amd64/kernel/net/ipv4/tcp_hybla.ko linux-image-4.19.0-17-686 4.19.194-1 lib/modules/4.19.0-17-686/kernel/drivers/thermal/intel_soc_dts_iosf.ko linux-image-4.19.0-17-686 4.19.194-2 lib/modules/4.19.0-17-686/kernel/drivers/thermal/intel_soc_dts_iosf.ko linux-image-4.19.0-17-686 4.19.194-3 lib/modules/4.19.0-17-686/kernel/drivers/thermal/intel_soc_dts_iosf.ko linux-image-4.19.0-17-amd64 4.19.194-1 lib/modules/4.19.0-17-amd64/kernel/drivers/dma/dw/dw_dmac_core.ko linux-image-4.19.0-17-amd64 4.19.194-2 lib/modules/4.19.0-17-amd64/kernel/drivers/dma/dw/dw_dmac_core.ko linux-image-4.19.0-17-amd64 4.19.194-3 lib/modules/4.19.0-17-amd64/kernel/drivers/dma/dw/dw_dmac_core.ko linux-image-4.19.0-18-rt-686-pae 4.19.208-1 lib/modules/4.19.0-18-rt-686-pae/kernel/drivers/staging/comedi/drivers/jr3_pci.ko linux-image-4.19.0-19-rt-686-pae 4.19.232-1 lib/modules/4.19.0-19-rt-686-pae/kernel/fs/sysv/sysv.ko linux-image-4.19.0-20-amd64 4.19.235-1 lib/modules/4.19.0-20-amd64/kernel/sound/pci/echoaudio/snd-indigoio.ko linux-image-4.19.0-20-rt-arm64 4.19.235-1 lib/modules/4.19.0-20-rt-arm64/kernel/drivers/video/fbdev/arkfb.ko linux-image-5.2.0-0.bpo.2-amd64 5.2.9-2~bpo10+1 lib/modules/5.2.0-0.bpo.2-amd64/kernel/drivers/input/keyboard/max7359_keypad.ko linux-image-5.2.0-2-arm64 5.2.9-1 lib/modules/5.2.0-2-arm64/kernel/crypto/cast6_generic.ko linux-image-5.2.0-2-arm64 5.2.9-2 lib/modules/5.2.0-2-arm64/kernel/crypto/cast6_generic.ko linux-image-5.2.0-2-rt-686-pae 5.2.9-1 lib/modules/5.2.0-2-rt-686-pae/kernel/drivers/net/ethernet/intel/ixgb/ixgb.ko linux-image-5.2.0-2-rt-686-pae 5.2.9-2 lib/modules/5.2.0-2-rt-686-pae/kernel/drivers/net/ethernet/intel/ixgb/ixgb.ko linux-image-5.2.0-3-cloud-amd64 5.2.17-1 lib/modules/5.2.0-3-cloud-amd64/kernel/net/sched/act_skbmod.ko linux-image-5.3.0-1-amd64 5.3.7-1 lib/modules/5.3.0-1-amd64/kernel/sound/pci/hda/snd-hda-codec-hdmi.ko linux-image-5.3.0-2-arm64 5.3.9-3 lib/modules/5.3.0-2-arm64/kernel/drivers/usb/gadget/function/u_ether.ko linux-image-5.3.0-2-cloud-amd64 5.3.9-1 lib/modules/5.3.0-2-cloud-amd64/kernel/fs/nls/nls_koi8-u.ko linux-image-5.4.0-0.bpo.2-686-pae 5.4.8-1~bpo10+1 lib/modules/5.4.0-0.bpo.2-686-pae/kernel/drivers/net/phy/aquantia.ko linux-image-5.4.0-0.bpo.4-rt-arm64 5.4.19-1~bpo10+1 lib/modules/5.4.0-0.bpo.4-rt-arm64/kernel/drivers/hwmon/lm73.ko linux-image-5.4.0-3-cloud-amd64 5.4.13-1 lib/modules/5.4.0-3-cloud-amd64/kernel/net/netfilter/xt_NETMAP.ko linux-image-5.10.0-0.bpo.9-arm64 5.10.70-1~bpo10+1 lib/modules/5.10.0-0.bpo.9-arm64/kernel/sound/usb/line6/snd-usb-line6.ko linux-image-5.10.0-0.bpo.11-rt-686-pae 5.10.92-1~bpo10+1 lib/modules/5.10.0-0.bpo.11-rt-686-pae/kernel/net/netfilter/ipset/ip_set_hash_ipmac.ko linux-image-5.10.0-0.bpo.11-rt-arm64 5.10.92-1~bpo10+1 lib/modules/5.10.0-0.bpo.11-rt-arm64/kernel/drivers/media/pci/cx88/cx8800.ko linux-image-5.10.0-5-amd64 5.10.24-1 lib/modules/5.10.0-5-amd64/kernel/drivers/net/phy/teranetics.ko linux-image-5.10.0-5-amd64 5.10.26-1 lib/modules/5.10.0-5-amd64/kernel/drivers/net/phy/teranetics.ko linux-image-5.10.0-5-rt-686-pae 5.10.24-1 lib/modules/5.10.0-5-rt-686-pae/kernel/drivers/thermal/intel/int340x_thermal/processor_thermal_device.ko linux-image-5.10.0-5-rt-686-pae 5.10.26-1 lib/modules/5.10.0-5-rt-686-pae/kernel/drivers/thermal/intel/int340x_thermal/processor_thermal_device.ko linux-image-5.10.0-6-amd64 5.10.28-1 lib/modules/5.10.0-6-amd64/kernel/drivers/media/usb/zr364xx/zr364xx.ko linux-image-5.10.0-6-amd64 5.10.28-1 lib/modules/5.10.0-6-amd64/kernel/fs/nls/nls_cp852.ko linux-image-5.10.0-6-rt-arm64 5.10.28-1 lib/modules/5.10.0-6-rt-arm64/kernel/fs/nfs/nfsv3.ko linux-image-5.10.0-7-rt-686-pae 5.10.38-1 lib/modules/5.10.0-7-rt-686-pae/kernel/drivers/i2c/busses/i2c-pca-platform.ko linux-image-5.10.0-7-rt-686-pae 5.10.40-1 lib/modules/5.10.0-7-rt-686-pae/kernel/drivers/i2c/busses/i2c-pca-platform.ko linux-image-5.10.0-11-686 5.10.92-1 lib/modules/5.10.0-11-686/kernel/drivers/platform/x86/intel_int0002_vgpio.ko linux-image-5.10.0-11-686 5.10.92-2 lib/modules/5.10.0-11-686/kernel/drivers/platform/x86/intel_int0002_vgpio.ko linux-image-5.10.0-14-686-pae 5.10.113-1 lib/modules/5.10.0-14-686-pae/kernel/drivers/net/wan/hostess_sv11.ko linux-image-5.10.0-15-686-pae 5.10.120-1 lib/modules/5.10.0-15-686-pae/kernel/lib/crc-itu-t.ko linux-image-5.10.0-15-amd64 5.10.120-1 lib/modules/5.10.0-15-amd64/kernel/net/netfilter/xt_l2tp.ko linux-image-5.14.0-0.bpo.2-686 5.14.9-2~bpo11+1 lib/modules/5.14.0-0.bpo.2-686/kernel/drivers/comedi/drivers/usbdux.ko linux-image-5.14.0-3-686 5.14.12-1 lib/modules/5.14.0-3-686/kernel/drivers/bluetooth/bcm203x.ko linux-image-5.15.0-0.bpo.2-arm64 5.15.5-2~bpo11+1 lib/modules/5.15.0-0.bpo.2-arm64/kernel/drivers/iio/accel/da311.ko linux-image-5.15.0-0.bpo.3-rt-amd64 5.15.15-2~bpo11+1 lib/modules/5.15.0-0.bpo.3-rt-amd64/kernel/net/netfilter/xt_HMARK.ko linux-image-5.15.0-2-rt-arm64 5.15.5-1 lib/modules/5.15.0-2-rt-arm64/kernel/sound/usb/snd-usb-audio.ko linux-image-5.15.0-2-rt-arm64 5.15.5-2 lib/modules/5.15.0-2-rt-arm64/kernel/sound/usb/snd-usb-audio.ko linux-image-5.15.0-3-amd64 5.15.15-1 lib/modules/5.15.0-3-amd64/kernel/drivers/net/ethernet/packetengines/hamachi.ko linux-image-5.15.0-3-amd64 5.15.15-2 lib/modules/5.15.0-3-amd64/kernel/drivers/net/ethernet/packetengines/hamachi.ko linux-image-5.16.0-2-rt-686-pae 5.16.10-1 lib/modules/5.16.0-2-rt-686-pae/kernel/drivers/watchdog/w83977f_wdt.ko linux-image-5.16.0-5-amd64 5.16.14-1 lib/modules/5.16.0-5-amd64/kernel/drivers/media/pci/meye/meye.ko linux-image-5.16.0-5-cloud-arm64 5.16.14-1 lib/modules/5.16.0-5-cloud-arm64/kernel/net/mpls/mpls_iptunnel.ko linux-image-5.16.0-6-686 5.16.18-1 lib/modules/5.16.0-6-686/kernel/drivers/input/serio/ct82c710.ko linux-image-5.16.0-6-amd64 5.16.18-1 lib/modules/5.16.0-6-amd64/kernel/drivers/pci/hotplug/cpcihp_zt5550.ko linux-image-5.16.0-6-rt-arm64 5.16.18-1 lib/modules/5.16.0-6-rt-arm64/kernel/drivers/gpu/drm/tiny/cirrus.ko linux-image-5.16.0-rc3-rt-arm64 5.16~rc3-1~exp1 lib/modules/5.16.0-rc3-rt-arm64/kernel/drivers/media/dvb-frontends/dib3000mb.ko linux-image-5.16.0-rc4-686-pae 5.16~rc4-1~exp1 lib/modules/5.16.0-rc4-686-pae/kernel/drivers/video/fbdev/matrox/matroxfb_g450.ko linux-image-5.16.0-rc4-rt-amd64 5.16~rc4-1~exp1 lib/modules/5.16.0-rc4-rt-amd64/kernel/drivers/i2c/busses/i2c-piix4.ko linux-image-5.16.0-rc4-rt-amd64 5.16~rc4-1~exp1 lib/modules/5.16.0-rc4-rt-amd64/kernel/drivers/tty/n_gsm.ko linux-image-5.16.0-rc4-rt-arm64 5.16~rc4-1~exp1 lib/modules/5.16.0-rc4-rt-arm64/kernel/drivers/net/phy/marvell.ko linux-image-5.16.0-rc5-rt-arm64 5.16~rc5-1~exp1 lib/modules/5.16.0-rc5-rt-arm64/kernel/net/sched/sch_ingress.ko linux-image-5.16.0-trunk-rt-amd64 5.16.4-1~exp1 lib/modules/5.16.0-trunk-rt-amd64/kernel/drivers/net/usb/qmi_wwan.ko linux-image-5.17.0-3-686-pae 5.17.11-1 lib/modules/5.17.0-3-686-pae/kernel/net/bridge/netfilter/nft_meta_bridge.ko linux-image-5.17.0-rc5-rt-686-pae 5.17~rc5-1~exp1 lib/modules/5.17.0-rc5-rt-686-pae/kernel/drivers/ata/sata_sil.ko linux-image-5.18.0-trunk-cloud-arm64 5.18-1~exp1 lib/modules/5.18.0-trunk-cloud-arm64/kernel/fs/nls/mac-inuit.ko A significant pattern visible here is a short signature for the same module in multiple consecutive versions, where the module may have identical contents. That implies that this is a reproducible issue for certain inputs that cannot be worked around by re-running the signing process. However, I have *not* yet verified that all short signatures really are invalid. Ben. -- Ben Hutchings Tomorrow will be cancelled due to lack of interest.
signature.asc
Description: This is a digitally signed message part
