From: Eric Biggers <ebiggers3@gmail.com>
To: stable@vger.kernel.org
Cc: Theodore Ts'o <tytso@mit.edu>, Jaegeuk Kim <jaegeuk@kernel.org>,
David Howells <dhowells@redhat.com>,
Eric Biggers <ebiggers@google.com>
Subject: [PATCH 3/3] fscrypt: fix dereference of NULL user_key_payload
Date: Tue, 24 Oct 2017 12:30:03 -0700 [thread overview]
Message-ID: <20171024193003.58499-3-ebiggers3@gmail.com> (raw)
In-Reply-To: <20171024193003.58499-1-ebiggers3@gmail.com>
From: Eric Biggers <ebiggers@google.com>
commit d60b5b7854c3d135b869f74fb93eaf63cbb1991a upstream. Please apply
to 4.4-stable.
When an fscrypt-encrypted file is opened, we request the file's master
key from the keyrings service as a logon key, then access its payload.
However, a revoked key has a NULL payload, and we failed to check for
this. request_key() *does* skip revoked keys, but there is still a
window where the key can be revoked before we acquire its semaphore.
Fix it by checking for a NULL payload, treating it like a key which was
already revoked at the time it was requested.
Fixes: 88bd6ccdcdd6 ("ext4 crypto: add encryption key management facilities")
Reviewed-by: James Morris <james.l.morris@oracle.com>
Cc: <stable@vger.kernel.org> [v4.1+]
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
---
fs/ext4/crypto_key.c | 6 ++++++
fs/f2fs/crypto_key.c | 6 ++++++
2 files changed, 12 insertions(+)
diff --git a/fs/ext4/crypto_key.c b/fs/ext4/crypto_key.c
index 505f8afde57c..9a1bc638abce 100644
--- a/fs/ext4/crypto_key.c
+++ b/fs/ext4/crypto_key.c
@@ -204,6 +204,12 @@ int ext4_get_encryption_info(struct inode *inode)
}
down_read(&keyring_key->sem);
ukp = user_key_payload(keyring_key);
+ if (!ukp) {
+ /* key was revoked before we acquired its semaphore */
+ res = -EKEYREVOKED;
+ up_read(&keyring_key->sem);
+ goto out;
+ }
if (ukp->datalen != sizeof(struct ext4_encryption_key)) {
res = -EINVAL;
up_read(&keyring_key->sem);
diff --git a/fs/f2fs/crypto_key.c b/fs/f2fs/crypto_key.c
index ae49be377b60..7e62889a1d3d 100644
--- a/fs/f2fs/crypto_key.c
+++ b/fs/f2fs/crypto_key.c
@@ -195,6 +195,12 @@ int f2fs_get_encryption_info(struct inode *inode)
}
down_read(&keyring_key->sem);
ukp = user_key_payload(keyring_key);
+ if (!ukp) {
+ /* key was revoked before we acquired its semaphore */
+ res = -EKEYREVOKED;
+ up_read(&keyring_key->sem);
+ goto out;
+ }
if (ukp->datalen != sizeof(struct f2fs_encryption_key)) {
res = -EINVAL;
up_read(&keyring_key->sem);
--
2.15.0.rc0.271.g36b669edcc-goog
next prev parent reply other threads:[~2017-10-24 19:31 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-24 19:30 [PATCH 1/3] f2fs crypto: replace some BUG_ON()'s with error checks Eric Biggers
2017-10-24 19:30 ` [PATCH 2/3] f2fs crypto: add missing locking for keyring_key access Eric Biggers
2017-10-24 19:30 ` Eric Biggers [this message]
2017-10-25 9:39 ` [PATCH 1/3] f2fs crypto: replace some BUG_ON()'s with error checks Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171024193003.58499-3-ebiggers3@gmail.com \
--to=ebiggers3@gmail.com \
--cc=dhowells@redhat.com \
--cc=ebiggers@google.com \
--cc=jaegeuk@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.