* Patch "KEYS: encrypted: fix dereference of NULL user_key_payload" has been added to the 4.9-stable tree
@ 2017-10-24 8:02 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2017-10-24 8:02 UTC (permalink / raw)
To: ebiggers, dhowells, gregkh, james.l.morris, safford, zohar
Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
KEYS: encrypted: fix dereference of NULL user_key_payload
to the 4.9-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
keys-encrypted-fix-dereference-of-null-user_key_payload.patch
and it can be found in the queue-4.9 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From 13923d0865ca96312197962522e88bc0aedccd74 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Mon, 9 Oct 2017 12:37:49 -0700
Subject: KEYS: encrypted: fix dereference of NULL user_key_payload
From: Eric Biggers <ebiggers@google.com>
commit 13923d0865ca96312197962522e88bc0aedccd74 upstream.
A key of type "encrypted" references a "master key" which is used to
encrypt and decrypt the encrypted key's payload. However, when we
accessed the master key's payload, we failed to handle the case where
the master key has been revoked, which sets the payload pointer to NULL.
Note that request_key() *does* skip revoked keys, but there is still a
window where the key can be revoked before we acquire its semaphore.
Fix it by checking for a NULL payload, treating it like a key which was
already revoked at the time it was requested.
This was an issue for master keys of type "user" only. Master keys can
also be of type "trusted", but those cannot be revoked.
Fixes: 7e70cb497850 ("keys: add new key-type encrypted")
Reviewed-by: James Morris <james.l.morris@oracle.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: David Safford <safford@us.ibm.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/keys/encrypted-keys/encrypted.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -315,6 +315,13 @@ static struct key *request_user_key(cons
down_read(&ukey->sem);
upayload = user_key_payload(ukey);
+ if (!upayload) {
+ /* key was revoked before we acquired its semaphore */
+ up_read(&ukey->sem);
+ key_put(ukey);
+ ukey = ERR_PTR(-EKEYREVOKED);
+ goto error;
+ }
*master_key = upayload->data;
*master_keylen = upayload->datalen;
error:
Patches currently in stable-queue which might be from ebiggers@google.com are
queue-4.9/lib-digsig-fix-dereference-of-null-user_key_payload.patch
queue-4.9/keys-encrypted-fix-dereference-of-null-user_key_payload.patch
queue-4.9/keys-don-t-let-add_key-update-an-uninstantiated-key.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-10-24 8:44 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-24 8:02 Patch "KEYS: encrypted: fix dereference of NULL user_key_payload" has been added to the 4.9-stable tree gregkh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).