Linux Security Modules development
 help / color / mirror / Atom feed
* [PATCH 0/3] keys: fix keyring assoc-array out-of-bounds read and index inconsistency
@ 2026-07-12  1:44 Michael Bommarito
  2026-07-12  1:44 ` [PATCH 1/3] keys: fix out-of-bounds read in keyring_get_key_chunk() Michael Bommarito
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Michael Bommarito @ 2026-07-12  1:44 UTC (permalink / raw)
  To: David Howells, Jarkko Sakkinen
  Cc: Paul Moore, James Morris, Serge E . Hallyn, Andrew Morton,
	keyrings, linux-security-module, linux-kernel

keyring_get_key_chunk() advances the description read pointer by
level * sizeof(long) past the inline prefix but only bounds-checks the
prefix, so once the associative-array walk reaches a description-level
chunk it reads past the kmemdup(desc, desc_len + 1) description
allocation.  Reaching that depth needs two keys that collide through the
hash, x, type and domain_tag chunks, which an unprivileged add_key(2)
can arrange with a crafted pair of same-type keys.

An unprivileged user can thus read up to sizeof(long) bytes past a
keyring key's description; on kernels built without init-on-alloc the
same collision, read back with KEYCTL_READ, returns uninitialized kernel
slab.

Patch 1 is the memory-safety fix and stands alone.  Patches 2 and 3 fix
two index-key consistency bugs that let the crafted keys collide into a
single malformed node in the first place, which is what enables the
KEYCTL_READ disclosure.

The KASAN reproduction is on patch 1. Trigger is available off-list.

Michael Bommarito (3):
  keys: fix out-of-bounds read in keyring_get_key_chunk()
  keys: make keyring key-chunk byte order agree with
    keyring_diff_objects()
  assoc_array: trim the final shortcut word when skip_to_level is
    chunk-aligned

 lib/assoc_array.c       |  2 +-
 security/keys/keyring.c | 15 ++++++++-------
 2 files changed, 9 insertions(+), 8 deletions(-)


base-commit: 2c7c88a412aa6d09cd04b414211b4ef8553b5309
--
2.53.0


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-07-14  2:11 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-12  1:44 [PATCH 0/3] keys: fix keyring assoc-array out-of-bounds read and index inconsistency Michael Bommarito
2026-07-12  1:44 ` [PATCH 1/3] keys: fix out-of-bounds read in keyring_get_key_chunk() Michael Bommarito
2026-07-12  1:44 ` [PATCH 2/3] keys: make keyring key-chunk byte order agree with keyring_diff_objects() Michael Bommarito
2026-07-12  1:45 ` [PATCH 3/3] assoc_array: trim the final shortcut word when skip_to_level is chunk-aligned Michael Bommarito
2026-07-14  2:11 ` [PATCH 0/3] keys: fix keyring assoc-array out-of-bounds read and index inconsistency Andrew Morton

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox