* [PATCH] libceph: don't WARN() if user tries to add invalid key
@ 2017-11-07 5:57 Eric Biggers
2017-11-07 8:11 ` Ilya Dryomov
0 siblings, 1 reply; 2+ messages in thread
From: Eric Biggers @ 2017-11-07 5:57 UTC (permalink / raw)
To: Ilya Dryomov, Yan Zheng, Sage Weil, ceph-devel
Cc: netdev, keyrings, Eric Biggers, stable
From: Eric Biggers <ebiggers@google.com>
The WARN_ON(!key->len) in set_secret() in net/ceph/crypto.c is hit if a
user tries to add a key of type "ceph" with an invalid payload as
follows (assuming CONFIG_CEPH_LIB=y):
echo -e -n '\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
| keyctl padd ceph desc @s
This can be hit by fuzzers. As this is merely bad input and not a
kernel bug, replace the WARN_ON() with return -EINVAL.
Fixes: 7af3ea189a9a ("libceph: stop allocating a new cipher on every crypto request")
Cc: <stable@vger.kernel.org> # v4.10+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
net/ceph/crypto.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/ceph/crypto.c b/net/ceph/crypto.c
index 489610ac1cdd..bf9d079cbafd 100644
--- a/net/ceph/crypto.c
+++ b/net/ceph/crypto.c
@@ -37,7 +37,9 @@ static int set_secret(struct ceph_crypto_key *key, void *buf)
return -ENOTSUPP;
}
- WARN_ON(!key->len);
+ if (!key->len)
+ return -EINVAL;
+
key->key = kmemdup(buf, key->len, GFP_NOIO);
if (!key->key) {
ret = -ENOMEM;
--
2.15.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] libceph: don't WARN() if user tries to add invalid key
2017-11-07 5:57 [PATCH] libceph: don't WARN() if user tries to add invalid key Eric Biggers
@ 2017-11-07 8:11 ` Ilya Dryomov
0 siblings, 0 replies; 2+ messages in thread
From: Ilya Dryomov @ 2017-11-07 8:11 UTC (permalink / raw)
To: Eric Biggers
Cc: Yan Zheng, Sage Weil, Ceph Development, netdev, keyrings,
Eric Biggers, stable
On Tue, Nov 7, 2017 at 6:57 AM, Eric Biggers <ebiggers3@gmail.com> wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> The WARN_ON(!key->len) in set_secret() in net/ceph/crypto.c is hit if a
> user tries to add a key of type "ceph" with an invalid payload as
> follows (assuming CONFIG_CEPH_LIB=y):
>
> echo -e -n '\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
> | keyctl padd ceph desc @s
>
> This can be hit by fuzzers. As this is merely bad input and not a
> kernel bug, replace the WARN_ON() with return -EINVAL.
>
> Fixes: 7af3ea189a9a ("libceph: stop allocating a new cipher on every crypto request")
> Cc: <stable@vger.kernel.org> # v4.10+
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
> net/ceph/crypto.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/ceph/crypto.c b/net/ceph/crypto.c
> index 489610ac1cdd..bf9d079cbafd 100644
> --- a/net/ceph/crypto.c
> +++ b/net/ceph/crypto.c
> @@ -37,7 +37,9 @@ static int set_secret(struct ceph_crypto_key *key, void *buf)
> return -ENOTSUPP;
> }
>
> - WARN_ON(!key->len);
> + if (!key->len)
> + return -EINVAL;
> +
> key->key = kmemdup(buf, key->len, GFP_NOIO);
> if (!key->key) {
> ret = -ENOMEM;
Makes sense, applied.
Thanks,
Ilya
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-11-07 8:11 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-11-07 5:57 [PATCH] libceph: don't WARN() if user tries to add invalid key Eric Biggers
2017-11-07 8:11 ` Ilya Dryomov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox