* [PATCH] KEYS: fix overflow in keyctl_pkey_params_get_2()
@ 2026-05-31 2:49 Jarkko Sakkinen
2026-05-31 3:25 ` Jarkko Sakkinen
0 siblings, 1 reply; 2+ messages in thread
From: Jarkko Sakkinen @ 2026-05-31 2:49 UTC (permalink / raw)
To: keyringsy
Cc: Jarkko Sakkinen, stable, Alessandro Grupp, David Howells,
Paul Moore, James Morris, Serge E. Hallyn, Denis Kenzior,
Marcel Holtmann, keyrings, linux-security-module, linux-kernel
The length for the internal output buffer is calculated incorrectly, which
can result overflow when a too small buffer is provided.
Fix the bug by allocating internal output with the size of the maximum
length of the cryptographic primitive instead of caller provided size.
Cc: stable@vger.kernel.org # v4.20+
Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
Reported-by: Alessandro Grupp <ale.grpp@gmail.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
---
Alessandro, please correct if I put the last name correctly (and
sincere apologies if not).
security/keys/keyctl_pkey.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/security/keys/keyctl_pkey.c b/security/keys/keyctl_pkey.c
index 97bc27bbf079..ba150ee2d4a3 100644
--- a/security/keys/keyctl_pkey.c
+++ b/security/keys/keyctl_pkey.c
@@ -138,28 +138,35 @@ static int keyctl_pkey_params_get_2(const struct keyctl_pkey_params __user *_par
if (uparams.in_len > info.max_dec_size ||
uparams.out_len > info.max_enc_size)
return -EINVAL;
+
+ params->out_len = info.max_enc_size;
break;
case KEYCTL_PKEY_DECRYPT:
if (uparams.in_len > info.max_enc_size ||
uparams.out_len > info.max_dec_size)
return -EINVAL;
+
+ params->out_len = info.max_dec_size;
break;
case KEYCTL_PKEY_SIGN:
if (uparams.in_len > info.max_data_size ||
uparams.out_len > info.max_sig_size)
return -EINVAL;
+
+ params->out_len = info.max_sig_size;
break;
case KEYCTL_PKEY_VERIFY:
if (uparams.in_len > info.max_data_size ||
uparams.in2_len > info.max_sig_size)
return -EINVAL;
+
+ params->out_len = info.max_sig_size;
break;
default:
BUG();
}
params->in_len = uparams.in_len;
- params->out_len = uparams.out_len; /* Note: same as in2_len */
return 0;
}
--
2.47.3
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] KEYS: fix overflow in keyctl_pkey_params_get_2()
2026-05-31 2:49 [PATCH] KEYS: fix overflow in keyctl_pkey_params_get_2() Jarkko Sakkinen
@ 2026-05-31 3:25 ` Jarkko Sakkinen
0 siblings, 0 replies; 2+ messages in thread
From: Jarkko Sakkinen @ 2026-05-31 3:25 UTC (permalink / raw)
To: keyringsy
Cc: stable, Alessandro Grupp, David Howells, Paul Moore, James Morris,
Serge E. Hallyn, Denis Kenzior, Marcel Holtmann, keyrings,
linux-security-module, linux-kernel
On Sun, May 31, 2026 at 05:49:13AM +0300, Jarkko Sakkinen wrote:
> The length for the internal output buffer is calculated incorrectly, which
> can result overflow when a too small buffer is provided.
>
> Fix the bug by allocating internal output with the size of the maximum
> length of the cryptographic primitive instead of caller provided size.
>
> Cc: stable@vger.kernel.org # v4.20+
> Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
> Reported-by: Alessandro Grupp <ale.grpp@gmail.com>
> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Should be available in -next within a day or along the lines so please
be quick with tags/feedback. I'll forward a PR as soon as all is good.
BR, Jarkko
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-31 3:25 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-31 2:49 [PATCH] KEYS: fix overflow in keyctl_pkey_params_get_2() Jarkko Sakkinen
2026-05-31 3:25 ` Jarkko Sakkinen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox