[PATCH] KEYS: asymmetric: fix OOB read in KEYCTL_PKEY

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] KEYS: asymmetric: fix OOB read in KEYCTL_PKEY_DECRYPT on zero-length message
@ 2026-06-22  2:50 azraelxuemo
  2026-06-23  9:26 ` Lukas Wunner
  0 siblings, 1 reply; 2+ messages in thread
From: azraelxuemo @ 2026-06-22  2:50 UTC (permalink / raw)
  To: linux-crypto; +Cc: herbert, dhowells, HanQuan

From: HanQuan <eilaimemedsnaimel@gmail.com>

In software_key_eds_op(), the condition

    if (!issig && ret == 0)
        ret = crypto_akcipher_maxsize(tfm);

replaces ret with the key size when crypto_akcipher_sync_decrypt()
returns 0.  This was added as a workaround for encrypt, where
crypto_akcipher_sync_encrypt() returns 0 on success (it lacks the
"?:" data.dlen" tail that sync_decrypt has).  However, for decrypt,
ret == 0 is legitimate: pkcs1pad_decrypt_complete() sets
req->dst_len = 0 for a zero-length PKCS#1 message, causing
crypto_akcipher_sync_decrypt() to return 0 via "0 ?: data.dlen".

When ret is replaced with maxsize, the caller keyctl_pkey_e_d_s()
does copy_to_user(_out, out, ret) with ret = key_size (e.g. 256
for RSA-2048) on a buffer allocated with kmalloc(params.out_len),
which can be as small as 1 byte.  This reads key_size - out_len
bytes beyond the allocation.

Restrict the maxsize substitution to the encrypt operation only,
where ret == 0 genuinely indicates success and the full key size
is the correct output length.

Fixes: 63ba4d67594a ("KEYS: asymmetric: Use new crypto interface without scatterlists")
Signed-off-by: HanQuan <eilaimemedsnaimel@gmail.com>
---
 crypto/asymmetric_keys/public_key.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
index 09a0b83d5d77..2c3ac75ec92b 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -358,7 +358,10 @@ static int software_key_eds_op(struct kernel_pkey_params *params,
 		BUG();
 	}

-	if (!issig && ret == 0)
+	/* Decrypt may legitimately return 0 (zero-length message); only
+	 * replace ret with maxsize for encrypt, which returns 0 on success.
+	 */
+	if (!issig && ret == 0 && params->op == kernel_pkey_encrypt)
 		ret = crypto_akcipher_maxsize(tfm);

 error_free_tfm:
-- 
2.43.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] KEYS: asymmetric: fix OOB read in KEYCTL_PKEY_DECRYPT on zero-length message
  2026-06-22  2:50 [PATCH] KEYS: asymmetric: fix OOB read in KEYCTL_PKEY_DECRYPT on zero-length message azraelxuemo
@ 2026-06-23  9:26 ` Lukas Wunner
  0 siblings, 0 replies; 2+ messages in thread
From: Lukas Wunner @ 2026-06-23  9:26 UTC (permalink / raw)
  To: azraelxuemo
  Cc: linux-crypto, herbert, dhowells, Ignat Korchagin, Jarkko Sakkinen,
	keyrings

[cc += Ignat, Jarkko, keyrings; start of thread is here:
https://lore.kernel.org/r/20260622025002.798934-1-xuemo@xuemo.com
]

On Mon, Jun 22, 2026 at 02:50:02AM +0000, azraelxuemo wrote:
> When ret is replaced with maxsize, the caller keyctl_pkey_e_d_s()
> does copy_to_user(_out, out, ret) with ret = key_size (e.g. 256
> for RSA-2048) on a buffer allocated with kmalloc(params.out_len),
> which can be as small as 1 byte.  This reads key_size - out_len
> bytes beyond the allocation.

It would probably make sense to tighten security in keyctl_pkey_e_d_s()
by using kzalloc() instead of kmalloc() and by capping the amount of
data copied with min(ret, params.out_len).

> Fixes: 63ba4d67594a ("KEYS: asymmetric: Use new crypto interface without scatterlists")
> Signed-off-by: HanQuan <eilaimemedsnaimel@gmail.com>

Please add:

Cc: stable@vger.kernel.org # v6.5+

You don't need to cc that address when submitting the patch,
but including the tag in the commit message helps stable
maintainers identify patches that need backporting.

> +++ b/crypto/asymmetric_keys/public_key.c
> @@ -358,7 +358,10 @@ static int software_key_eds_op(struct kernel_pkey_params *params,
>  		BUG();
>  	}
>  
> -	if (!issig && ret == 0)
> +	/* Decrypt may legitimately return 0 (zero-length message); only
> +	 * replace ret with maxsize for encrypt, which returns 0 on success.
> +	 */
> +	if (!issig && ret == 0 && params->op == kernel_pkey_encrypt)
>  		ret = crypto_akcipher_maxsize(tfm);

Given that out of 3 operations (encrypt, decrypt, sign),
2 already return the size, I think a better approach would be
to let crypto_akcipher_sync_encrypt() return crypto_akcipher_maxsize()
on success, i.e.:

	return crypto_akcipher_sync_prep(&data) ?:
	       crypto_akcipher_sync_post(&data,
-					 crypto_akcipher_encrypt(data.req));
+					 crypto_akcipher_encrypt(data.req)) ?:
+	       crypto_akcipher_maxsize(tfm);

and then remove the if-clause in software_key_eds_op() altogether
which overwrites ret with the maxsize.

Do you agree?

Your patch wasn't cc'ed to all maintainers of this file.
Please double-check that you've checked out Linus' current
master when running scripts/get_maintainer.pl.

Thanks,

Lukas

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-23  9:26 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-22  2:50 [PATCH] KEYS: asymmetric: fix OOB read in KEYCTL_PKEY_DECRYPT on zero-length message azraelxuemo
2026-06-23  9:26 ` Lukas Wunner

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.