Re: [PATCH] KEYS: fix length validation in keyctl_pkey_params_get_2()

linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Jarkko Sakkinen <jarkko@kernel.org>
To: Eric Biggers <ebiggers@kernel.org>
Cc: keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>,
	linux-crypto@vger.kernel.org,
	Marcel Holtmann <marcel@holtmann.org>,
	Denis Kenzior <denkenz@gmail.com>,
	stable@vger.kernel.org
Subject: Re: [PATCH] KEYS: fix length validation in keyctl_pkey_params_get_2()
Date: Sat, 15 Jan 2022 20:45:03 +0200	[thread overview]
Message-ID: <YeMWLyceg4xcwShF@iki.fi> (raw)
In-Reply-To: <20220113200454.72609-1-ebiggers@kernel.org>

On Thu, Jan 13, 2022 at 12:04:54PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> In many cases, keyctl_pkey_params_get_2() is validating the user buffer
> lengths against the wrong algorithm properties.  Fix it to check against
> the correct properties.
> 
> Probably this wasn't noticed before because for all asymmetric keys of
> the "public_key" subtype, max_data_size == max_sig_size == max_enc_size
> == max_dec_size.  However, this isn't necessarily true for the
> "asym_tpm" subtype (it should be, but it's not strictly validated).  Of
> course, future key types could have different values as well.

With a quick look, asym_tpm is TPM 1.x only, which only has 2048-bit RSA
keys.

> Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
> Cc: <stable@vger.kernel.org> # v4.20+
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  security/keys/keyctl_pkey.c | 14 +++++++++++---
>  1 file changed, 11 insertions(+), 3 deletions(-)
> 
> diff --git a/security/keys/keyctl_pkey.c b/security/keys/keyctl_pkey.c
> index 5de0d599a274..97bc27bbf079 100644
> --- a/security/keys/keyctl_pkey.c
> +++ b/security/keys/keyctl_pkey.c
> @@ -135,15 +135,23 @@ static int keyctl_pkey_params_get_2(const struct keyctl_pkey_params __user *_par
>  
>  	switch (op) {
>  	case KEYCTL_PKEY_ENCRYPT:
> +		if (uparams.in_len  > info.max_dec_size ||
> +		    uparams.out_len > info.max_enc_size)
> +			return -EINVAL;
> +		break;
>  	case KEYCTL_PKEY_DECRYPT:
>  		if (uparams.in_len  > info.max_enc_size ||
>  		    uparams.out_len > info.max_dec_size)
>  			return -EINVAL;
>  		break;
>  	case KEYCTL_PKEY_SIGN:
> +		if (uparams.in_len  > info.max_data_size ||
> +		    uparams.out_len > info.max_sig_size)
> +			return -EINVAL;
> +		break;
>  	case KEYCTL_PKEY_VERIFY:
> -		if (uparams.in_len  > info.max_sig_size ||
> -		    uparams.out_len > info.max_data_size)
> +		if (uparams.in_len  > info.max_data_size ||
> +		    uparams.in2_len > info.max_sig_size)
>  			return -EINVAL;
>  		break;
>  	default:
> @@ -151,7 +159,7 @@ static int keyctl_pkey_params_get_2(const struct keyctl_pkey_params __user *_par
>  	}
>  
>  	params->in_len  = uparams.in_len;
> -	params->out_len = uparams.out_len;
> +	params->out_len = uparams.out_len; /* Note: same as in2_len */
>  	return 0;
>  }
>  
> 
> base-commit: feb7a43de5ef625ad74097d8fd3481d5dbc06a59
> -- 
> 2.34.1
> 

/Jarkko

next prev parent reply	other threads:[~2022-01-15 18:45 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-13 20:04 [PATCH] KEYS: fix length validation in keyctl_pkey_params_get_2() Eric Biggers
2022-01-15 18:45 ` Jarkko Sakkinen [this message]
2022-01-15 19:53   ` Eric Biggers
2022-01-15 21:26     ` Jarkko Sakkinen
2022-01-19  0:22       ` Eric Biggers
2022-01-26 14:06         ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YeMWLyceg4xcwShF@iki.fi \
    --to=jarkko@kernel.org \
    --cc=denkenz@gmail.com \
    --cc=dhowells@redhat.com \
    --cc=ebiggers@kernel.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=marcel@holtmann.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).