From: ebiggers3@gmail.com (Eric Biggers)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 0/7] Fix dereferencing payload of revoked keys
Date: Thu, 28 Sep 2017 14:25:55 -0700 [thread overview]
Message-ID: <20170928212602.41744-1-ebiggers3@gmail.com> (raw)
From: Eric Biggers <ebiggers@google.com>
This series fixes the various users of the keyrings service that access
a "user" or "logon" key's payload without first checking whether the
payload pointer is NULL, or calling key_validate() while holding the key
semaphore. Without one of these two checks, a NULL pointer dereference
will occur if the key has been revoked concurrently. Usually this is
pretty easy to reproduce (in most of the cases even as an unprivileged
user), although it may be unlikely to happen by accident.
Patch 6 also fixes the lack of key length validation in ecryptfs.
These fixes probably will need to be split up between a few different
maintainers, but initially I'm sending the full series so that people
can see the full context of the fixes.
Eric Biggers (7):
KEYS: encrypted: fix dereference of NULL user_key_payload
FS-Cache: fix dereference of NULL user_key_payload
lib/digsig: fix dereference of NULL user_key_payload
fscrypt: fix dereference of NULL user_key_payload
ecryptfs: fix dereference of NULL user_key_payload
ecryptfs: fix out-of-bounds read of key payload
ecryptfs: move key payload accessor functions into keystore.c
fs/crypto/keyinfo.c | 5 +++
fs/ecryptfs/ecryptfs_kernel.h | 44 -------------------
fs/ecryptfs/keystore.c | 73 +++++++++++++++++++++++++++++++-
fs/fscache/object-list.c | 7 +++
lib/digsig.c | 6 +++
security/keys/encrypted-keys/encrypted.c | 7 +++
6 files changed, 97 insertions(+), 45 deletions(-)
--
2.14.2.822.g60be5d43e6-goog
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next reply other threads:[~2017-09-28 21:25 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-28 21:25 Eric Biggers [this message]
2017-09-28 21:25 ` [PATCH 1/7] KEYS: encrypted: fix dereference of NULL user_key_payload Eric Biggers
2017-10-03 10:51 ` James Morris
2017-09-28 21:25 ` [PATCH 2/7] FS-Cache: " Eric Biggers
2017-10-03 10:51 ` James Morris
2017-09-28 21:25 ` [PATCH 3/7] lib/digsig: " Eric Biggers
2017-10-03 10:52 ` James Morris
2017-09-28 21:25 ` [PATCH 4/7] fscrypt: " Eric Biggers
2017-10-03 10:56 ` James Morris
2017-09-28 21:26 ` [PATCH 5/7] ecryptfs: " Eric Biggers
2017-10-03 11:01 ` James Morris
2017-09-28 21:26 ` [PATCH 6/7] ecryptfs: fix out-of-bounds read of key payload Eric Biggers
2017-10-03 11:03 ` James Morris
2017-09-28 21:26 ` [PATCH 7/7] ecryptfs: move key payload accessor functions into keystore.c Eric Biggers
2017-10-03 11:05 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170928212602.41744-1-ebiggers3@gmail.com \
--to=ebiggers3@gmail.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).