From: azraelxuemo <eilaimemedsnaimel@gmail.com>
To: linux-crypto@vger.kernel.org
Cc: herbert@gondor.apana.org.au, dhowells@redhat.com,
HanQuan <eilaimemedsnaimel@gmail.com>
Subject: [PATCH] KEYS: asymmetric: fix OOB read in KEYCTL_PKEY_DECRYPT on zero-length message
Date: Mon, 22 Jun 2026 02:50:02 +0000 [thread overview]
Message-ID: <20260622025002.798934-1-xuemo@xuemo.com> (raw)
From: HanQuan <eilaimemedsnaimel@gmail.com>
In software_key_eds_op(), the condition
if (!issig && ret == 0)
ret = crypto_akcipher_maxsize(tfm);
replaces ret with the key size when crypto_akcipher_sync_decrypt()
returns 0. This was added as a workaround for encrypt, where
crypto_akcipher_sync_encrypt() returns 0 on success (it lacks the
"?:" data.dlen" tail that sync_decrypt has). However, for decrypt,
ret == 0 is legitimate: pkcs1pad_decrypt_complete() sets
req->dst_len = 0 for a zero-length PKCS#1 message, causing
crypto_akcipher_sync_decrypt() to return 0 via "0 ?: data.dlen".
When ret is replaced with maxsize, the caller keyctl_pkey_e_d_s()
does copy_to_user(_out, out, ret) with ret = key_size (e.g. 256
for RSA-2048) on a buffer allocated with kmalloc(params.out_len),
which can be as small as 1 byte. This reads key_size - out_len
bytes beyond the allocation.
Restrict the maxsize substitution to the encrypt operation only,
where ret == 0 genuinely indicates success and the full key size
is the correct output length.
Fixes: 63ba4d67594a ("KEYS: asymmetric: Use new crypto interface without scatterlists")
Signed-off-by: HanQuan <eilaimemedsnaimel@gmail.com>
---
crypto/asymmetric_keys/public_key.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
index 09a0b83d5d77..2c3ac75ec92b 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -358,7 +358,10 @@ static int software_key_eds_op(struct kernel_pkey_params *params,
BUG();
}
- if (!issig && ret == 0)
+ /* Decrypt may legitimately return 0 (zero-length message); only
+ * replace ret with maxsize for encrypt, which returns 0 on success.
+ */
+ if (!issig && ret == 0 && params->op == kernel_pkey_encrypt)
ret = crypto_akcipher_maxsize(tfm);
error_free_tfm:
--
2.43.0
next reply other threads:[~2026-06-22 2:50 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-22 2:50 azraelxuemo [this message]
2026-06-23 9:26 ` [PATCH] KEYS: asymmetric: fix OOB read in KEYCTL_PKEY_DECRYPT on zero-length message Lukas Wunner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260622025002.798934-1-xuemo@xuemo.com \
--to=eilaimemedsnaimel@gmail.com \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox