From: ebiggers3@gmail.com (Eric Biggers)
To: linux-security-module@vger.kernel.org
Subject: [PATCH] KEYS: fix dereferencing NULL payload with nonzero length
Date: Mon, 3 Apr 2017 10:59:29 -0700 [thread overview]
Message-ID: <20170403175929.GB72831@gmail.com> (raw)
In-Reply-To: <3451.1491234402@warthog.procyon.org.uk>
On Mon, Apr 03, 2017 at 04:46:42PM +0100, David Howells wrote:
> Eric Biggers <ebiggers3@gmail.com> wrote:
>
> > - if (_payload) {
> > + if (plen) {
>
> "if (_payload && plen)" would be better.
>
> David
No, that doesn't solve the problem. The problem is that userspace can pass in a
NULL payload with nonzero length, causing the kernel to dereference a NULL
pointer for some key types. For example:
add_key("asymmetric", "desc", NULL, 1000, KEY_SPEC_SESSION_KEYRING)
Results in (assuming CONFIG_X509_CERTIFICATE_PARSER=y):
[ 6.046093] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 6.047781] IP: asn1_ber_decoder+0xe0/0x588
[ 6.048723] PGD 79570067
[ 6.048726] PUD 7a7d4067
[ 6.048999] PMD 0
[ 6.048999]
[ 6.048999] Oops: 0000 [#1] SMP
[ 6.048999] CPU: 0 PID: 2509 Comm: add_key Not tainted 4.11.0-rc5-ext4-00007-g4ad72555b842-dirty #136
[ 6.048999] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[ 6.048999] task: ffff88007a664640 task.stack: ffffc90000a20000
[ 6.048999] RIP: 0010:asn1_ber_decoder+0xe0/0x588
[ 6.048999] RSP: 0018:ffffc90000a23ce0 EFLAGS: 00010293
[ 6.048999] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 6.048999] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
[ 6.048999] RBP: ffffc90000a23d80 R08: 0000000000000060 R09: ffffffff81a7c510
[ 6.048999] R10: ffffc90000a23c00 R11: 0000000088092f04 R12: 0000000000000000
[ 6.048999] R13: 00000000000003e8 R14: 0000000000000000 R15: 0000000000000000
[ 6.048999] FS: 0000000001af5880(0000) GS:ffff88007f200000(0000) knlGS:0000000000000000
[ 6.048999] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6.048999] CR2: 0000000000000000 CR3: 0000000079566000 CR4: 00000000000006f0
[ 6.048999] Call Trace:
[ 6.048999] ? rcu_read_lock_sched_held+0x40/0x47
[ 6.048999] ? kmem_cache_alloc_trace+0x1eb/0x29b
[ 6.048999] ? x509_cert_parse+0x98/0x19f
[ 6.048999] ? x509_cert_parse+0x98/0x19f
[ 6.048999] x509_cert_parse+0xbc/0x19f
[ 6.048999] x509_key_preparse+0x26/0x190
[ 6.048999] asymmetric_key_preparse+0x3a/0x6a
[ 6.048999] key_create_or_update+0x140/0x39d
[ 6.048999] SyS_add_key+0x157/0x1ac
[ 6.048999] entry_SYSCALL_64_fastpath+0x1f/0xc2
[ 6.048999] RIP: 0033:0x435389
[ 6.048999] RSP: 002b:00007ffd6792ae88 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
[ 6.048999] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000435389
[ 6.048999] RDX: 0000000000000000 RSI: 0000000000493ee4 RDI: 0000000000493ee9
[ 6.048999] RBP: 00007ffd6792ae70 R08: 00000000fffffffd R09: 0000000000000000
[ 6.048999] R10: 00000000000003e8 R11: 0000000000000246 R12: 00007ffd6792af88
[ 6.048999] R13: 00007ffd6792af98 R14: 0000000000000002 R15: 0000000000000000
[ 6.048999] Code: 75 0e 41 88 d2 41 80 e2 01 74 0f 4c 39 eb 75 0a 41 83 e6 fb 48 8b 45 80 eb 97 49 8d 4d ff 48 39 cb 0f 83 1c 03 00 00 49 8d 0c 1f <40> 8a 39 4c 8d 43 01 40 88 7d 8d 83 e7 1f 40 80 ff 1f 0f 84 00
[ 6.048999] RIP: asn1_ber_decoder+0xe0/0x588 RSP: ffffc90000a23ce0
[ 6.048999] CR2: 0000000000000000
[ 6.073968] ---[ end trace d27c036692bbc3da ]---
- Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers3@gmail.com>
To: David Howells <dhowells@redhat.com>
Cc: keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] KEYS: fix dereferencing NULL payload with nonzero length
Date: Mon, 3 Apr 2017 10:59:29 -0700 [thread overview]
Message-ID: <20170403175929.GB72831@gmail.com> (raw)
In-Reply-To: <3451.1491234402@warthog.procyon.org.uk>
On Mon, Apr 03, 2017 at 04:46:42PM +0100, David Howells wrote:
> Eric Biggers <ebiggers3@gmail.com> wrote:
>
> > - if (_payload) {
> > + if (plen) {
>
> "if (_payload && plen)" would be better.
>
> David
No, that doesn't solve the problem. The problem is that userspace can pass in a
NULL payload with nonzero length, causing the kernel to dereference a NULL
pointer for some key types. For example:
add_key("asymmetric", "desc", NULL, 1000, KEY_SPEC_SESSION_KEYRING)
Results in (assuming CONFIG_X509_CERTIFICATE_PARSER=y):
[ 6.046093] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 6.047781] IP: asn1_ber_decoder+0xe0/0x588
[ 6.048723] PGD 79570067
[ 6.048726] PUD 7a7d4067
[ 6.048999] PMD 0
[ 6.048999]
[ 6.048999] Oops: 0000 [#1] SMP
[ 6.048999] CPU: 0 PID: 2509 Comm: add_key Not tainted 4.11.0-rc5-ext4-00007-g4ad72555b842-dirty #136
[ 6.048999] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[ 6.048999] task: ffff88007a664640 task.stack: ffffc90000a20000
[ 6.048999] RIP: 0010:asn1_ber_decoder+0xe0/0x588
[ 6.048999] RSP: 0018:ffffc90000a23ce0 EFLAGS: 00010293
[ 6.048999] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 6.048999] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
[ 6.048999] RBP: ffffc90000a23d80 R08: 0000000000000060 R09: ffffffff81a7c510
[ 6.048999] R10: ffffc90000a23c00 R11: 0000000088092f04 R12: 0000000000000000
[ 6.048999] R13: 00000000000003e8 R14: 0000000000000000 R15: 0000000000000000
[ 6.048999] FS: 0000000001af5880(0000) GS:ffff88007f200000(0000) knlGS:0000000000000000
[ 6.048999] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6.048999] CR2: 0000000000000000 CR3: 0000000079566000 CR4: 00000000000006f0
[ 6.048999] Call Trace:
[ 6.048999] ? rcu_read_lock_sched_held+0x40/0x47
[ 6.048999] ? kmem_cache_alloc_trace+0x1eb/0x29b
[ 6.048999] ? x509_cert_parse+0x98/0x19f
[ 6.048999] ? x509_cert_parse+0x98/0x19f
[ 6.048999] x509_cert_parse+0xbc/0x19f
[ 6.048999] x509_key_preparse+0x26/0x190
[ 6.048999] asymmetric_key_preparse+0x3a/0x6a
[ 6.048999] key_create_or_update+0x140/0x39d
[ 6.048999] SyS_add_key+0x157/0x1ac
[ 6.048999] entry_SYSCALL_64_fastpath+0x1f/0xc2
[ 6.048999] RIP: 0033:0x435389
[ 6.048999] RSP: 002b:00007ffd6792ae88 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
[ 6.048999] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000435389
[ 6.048999] RDX: 0000000000000000 RSI: 0000000000493ee4 RDI: 0000000000493ee9
[ 6.048999] RBP: 00007ffd6792ae70 R08: 00000000fffffffd R09: 0000000000000000
[ 6.048999] R10: 00000000000003e8 R11: 0000000000000246 R12: 00007ffd6792af88
[ 6.048999] R13: 00007ffd6792af98 R14: 0000000000000002 R15: 0000000000000000
[ 6.048999] Code: 75 0e 41 88 d2 41 80 e2 01 74 0f 4c 39 eb 75 0a 41 83 e6 fb 48 8b 45 80 eb 97 49 8d 4d ff 48 39 cb 0f 83 1c 03 00 00 49 8d 0c 1f <40> 8a 39 4c 8d 43 01 40 88 7d 8d 83 e7 1f 40 80 ff 1f 0f 84 00
[ 6.048999] RIP: asn1_ber_decoder+0xe0/0x588 RSP: ffffc90000a23ce0
[ 6.048999] CR2: 0000000000000000
[ 6.073968] ---[ end trace d27c036692bbc3da ]---
- Eric
next prev parent reply other threads:[~2017-04-03 17:59 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-01 21:34 [PATCH] KEYS: fix dereferencing NULL payload with nonzero length Eric Biggers
2017-04-01 21:34 ` Eric Biggers
2017-04-03 15:46 ` David Howells
2017-04-03 15:46 ` David Howells
2017-04-03 17:59 ` Eric Biggers [this message]
2017-04-03 17:59 ` Eric Biggers
2017-04-03 19:20 ` David Howells
2017-04-03 19:20 ` David Howells
2017-04-03 21:30 ` Eric Biggers
2017-04-03 21:30 ` Eric Biggers
2017-05-31 19:11 ` Eric Biggers
2017-05-31 19:11 ` Eric Biggers
2017-05-31 19:11 ` Eric Biggers
2017-04-17 6:26 ` [LTP] [lkp-robot] [KEYS] bdf7c0f8bf: ltp.add_key02.fail kernel test robot
2017-04-17 6:26 ` kernel test robot
2017-04-17 6:26 ` kernel test robot
2017-04-17 17:29 ` Eric Biggers
2017-04-17 17:29 ` Eric Biggers
2017-04-17 17:29 ` Eric Biggers
2017-04-17 17:29 ` [LTP] " Eric Biggers
2017-04-20 12:57 ` Cyril Hrubis
2017-04-20 12:57 ` Cyril Hrubis
2017-04-20 12:57 ` Cyril Hrubis
2017-04-20 12:57 ` Cyril Hrubis
2017-04-21 4:43 ` Eric Biggers
2017-04-21 4:43 ` Eric Biggers
2017-04-21 4:43 ` Eric Biggers
2017-04-21 4:43 ` Eric Biggers
2017-06-02 13:43 ` David Howells
2017-06-02 13:43 ` David Howells
2017-06-02 13:43 ` David Howells
2017-06-02 13:43 ` David Howells
2017-06-02 13:43 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170403175929.GB72831@gmail.com \
--to=ebiggers3@gmail.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.