From: Michael Bommarito <michael.bommarito@gmail.com>
To: David Howells <dhowells@redhat.com>, Jarkko Sakkinen <jarkko@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH v2 0/3] keys: fix keyring assoc-array out-of-bounds read and index inconsistency
Date: Tue, 14 Jul 2026 07:54:48 -0400 [thread overview]
Message-ID: <20260714115451.3773164-1-michael.bommarito@gmail.com> (raw)
An unprivileged keyring whose keys collide through the description-chunk
path can drive assoc_array node splitting into an out-of-bounds slot write.
Patch 1 stops the out-of-bounds read in keyring_get_key_chunk(); patch 2
makes the chunk byte order agree with keyring_diff_objects(); patch 3 fixes
the shortcut-walk trim so the walk cannot be steered down the wrong
descendant.
v2 changes (patch 3 only; patches 1 and 2 are unchanged):
As sashiko pointed out, the v1 patch-3 guard (sc_level + CHUNK >
skip_to_level) fixed the word-aligned leak but wrongly fired for an
unaligned first word whose skip_to_level sits on the next chunk
boundary: shift = skip_to_level & CHUNK_MASK is then 0 and the trim clears
the whole dissimilarity word, making a differing shortcut compare equal. v2
keys the trim on the end of the chunk that contains sc_level,
round_down(sc_level, CHUNK) + CHUNK, which matches a brute-force oracle over
every sc_level/skip_to_level pair; the original round_up guard and the v1
guard each disagree with the oracle in one regime.
v1: https://lore.kernel.org/keyrings/20260712014500.480410-1-michael.bommarito@gmail.com/
Michael Bommarito (3):
keys: fix out-of-bounds read in keyring_get_key_chunk()
keys: make keyring key-chunk byte order agree with keyring_diff_objects()
assoc_array: trim the final shortcut word using the current chunk end
lib/assoc_array.c | 3 ++-
security/keys/keyring.c | 15 ++++++++-------
2 files changed, 10 insertions(+), 8 deletions(-)
--
2.53.0
next reply other threads:[~2026-07-14 11:54 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-14 11:54 Michael Bommarito [this message]
2026-07-14 11:54 ` [PATCH v2 1/3] keys: fix out-of-bounds read in keyring_get_key_chunk() Michael Bommarito
2026-07-18 18:36 ` Jarkko Sakkinen
2026-07-14 11:54 ` [PATCH v2 2/3] keys: make keyring key-chunk byte order agree with keyring_diff_objects() Michael Bommarito
2026-07-18 18:36 ` Jarkko Sakkinen
2026-07-14 11:54 ` [PATCH v2 3/3] assoc_array: trim the final shortcut word using the current chunk end Michael Bommarito
2026-07-18 18:37 ` Jarkko Sakkinen
2026-07-18 18:46 ` Jarkko Sakkinen
2026-07-18 20:35 ` Michael Bommarito
2026-07-18 22:18 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260714115451.3773164-1-michael.bommarito@gmail.com \
--to=michael.bommarito@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.