From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
David Howells <dhowells@redhat.com>,
James Morris <james.l.morris@oracle.com>
Subject: [PATCH 4.4 22/90] KEYS: fix freeing uninitialized memory in key_update()
Date: Mon, 12 Jun 2017 17:25:28 +0200 [thread overview]
Message-ID: <20170612152557.364477179@linuxfoundation.org> (raw)
In-Reply-To: <20170612152556.133240249@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 63a0b0509e700717a59f049ec6e4e04e903c7fe2 upstream.
key_update() freed the key_preparsed_payload even if it was not
initialized first. This would cause a crash if userspace called
keyctl_update() on a key with type like "asymmetric" that has a
->preparse() method but not an ->update() method. Possibly it could
even be triggered for other key types by racing with keyctl_setperm() to
make the KEY_NEED_WRITE check fail (the permission was already checked,
so normally it wouldn't fail there).
Reproducer with key type "asymmetric", given a valid cert.der:
keyctl new_session
keyid=$(keyctl padd asymmetric desc @s < cert.der)
keyctl setperm $keyid 0x3f000000
keyctl update $keyid data
[ 150.686666] BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
[ 150.687601] IP: asymmetric_key_free_kids+0x12/0x30
[ 150.688139] PGD 38a3d067
[ 150.688141] PUD 3b3de067
[ 150.688447] PMD 0
[ 150.688745]
[ 150.689160] Oops: 0000 [#1] SMP
[ 150.689455] Modules linked in:
[ 150.689769] CPU: 1 PID: 2478 Comm: keyctl Not tainted 4.11.0-rc4-xfstests-00187-ga9f6b6b8cd2f #742
[ 150.690916] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
[ 150.692199] task: ffff88003b30c480 task.stack: ffffc90000350000
[ 150.692952] RIP: 0010:asymmetric_key_free_kids+0x12/0x30
[ 150.693556] RSP: 0018:ffffc90000353e58 EFLAGS: 00010202
[ 150.694142] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000004
[ 150.694845] RDX: ffffffff81ee3920 RSI: ffff88003d4b0700 RDI: 0000000000000001
[ 150.697569] RBP: ffffc90000353e60 R08: ffff88003d5d2140 R09: 0000000000000000
[ 150.702483] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
[ 150.707393] R13: 0000000000000004 R14: ffff880038a4d2d8 R15: 000000000040411f
[ 150.709720] FS: 00007fcbcee35700(0000) GS:ffff88003fd00000(0000) knlGS:0000000000000000
[ 150.711504] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 150.712733] CR2: 0000000000000001 CR3: 0000000039eab000 CR4: 00000000003406e0
[ 150.714487] Call Trace:
[ 150.714975] asymmetric_key_free_preparse+0x2f/0x40
[ 150.715907] key_update+0xf7/0x140
[ 150.716560] ? key_default_cmp+0x20/0x20
[ 150.717319] keyctl_update_key+0xb0/0xe0
[ 150.718066] SyS_keyctl+0x109/0x130
[ 150.718663] entry_SYSCALL_64_fastpath+0x1f/0xc2
[ 150.719440] RIP: 0033:0x7fcbce75ff19
[ 150.719926] RSP: 002b:00007ffd5d167088 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa
[ 150.720918] RAX: ffffffffffffffda RBX: 0000000000404d80 RCX: 00007fcbce75ff19
[ 150.721874] RDX: 00007ffd5d16785e RSI: 000000002866cd36 RDI: 0000000000000002
[ 150.722827] RBP: 0000000000000006 R08: 000000002866cd36 R09: 00007ffd5d16785e
[ 150.723781] R10: 0000000000000004 R11: 0000000000000206 R12: 0000000000404d80
[ 150.724650] R13: 00007ffd5d16784d R14: 00007ffd5d167238 R15: 000000000040411f
[ 150.725447] Code: 83 c4 08 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 85 ff 74 23 55 48 89 e5 53 48 89 fb <48> 8b 3f e8 06 21 c5 ff 48 8b 7b 08 e8 fd 20 c5 ff 48 89 df e8
[ 150.727489] RIP: asymmetric_key_free_kids+0x12/0x30 RSP: ffffc90000353e58
[ 150.728117] CR2: 0000000000000001
[ 150.728430] ---[ end trace f7f8fe1da2d5ae8d ]---
Fixes: 4d8c0250b841 ("KEYS: Call ->free_preparse() even after ->preparse() returns an error")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/keys/key.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -934,12 +934,11 @@ int key_update(key_ref_t key_ref, const
/* the key must be writable */
ret = key_permission(key_ref, KEY_NEED_WRITE);
if (ret < 0)
- goto error;
+ return ret;
/* attempt to update it if supported */
- ret = -EOPNOTSUPP;
if (!key->type->update)
- goto error;
+ return -EOPNOTSUPP;
memset(&prep, 0, sizeof(prep));
prep.data = payload;
next prev parent reply other threads:[~2017-06-12 15:25 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-12 15:25 [PATCH 4.4 00/90] 4.4.72-stable review Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 01/90] bnx2x: Fix Multi-Cos Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 02/90] ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 03/90] cxgb4: avoid enabling napi twice to the same queue Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 04/90] tcp: disallow cwnd undo when switching congestion control Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 05/90] vxlan: fix use-after-free on deletion Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 06/90] ipv6: Fix leak in ipv6_gso_segment() Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 07/90] net: ping: do not abuse udp_poll() Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 08/90] net: ethoc: enable NAPI before poll may be scheduled Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 09/90] net: bridge: start hello timer only if device is up Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 10/90] sparc64: mm: fix copy_tsb to correctly copy huge page TSBs Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 11/90] sparc: Machine description indices can vary Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 12/90] sparc64: reset mm cpumask after wrap Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 13/90] sparc64: combine activate_mm and switch_mm Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 14/90] sparc64: redefine first version Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 15/90] sparc64: add per-cpu mm of secondary contexts Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 16/90] sparc64: new context wrap Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 17/90] sparc64: delete old wrap code Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 18/90] arch/sparc: support NR_CPUS = 4096 Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 19/90] serial: ifx6x60: fix use-after-free on module unload Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 20/90] ptrace: Properly initialize ptracer_cred on fork Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 21/90] KEYS: fix dereferencing NULL payload with nonzero length Greg Kroah-Hartman
2017-06-12 15:25 ` Greg Kroah-Hartman [this message]
2017-06-12 15:25 ` [PATCH 4.4 23/90] crypto: gcm - wait for crypto op not signal safe Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 25/90] nfsd4: fix null dereference on replay Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 26/90] nfsd: Fix up the "supattr_exclcreat" attributes Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 29/90] arm: KVM: Allow unaligned accesses at HYP Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 31/90] dmaengine: usb-dmac: Fix DMAOR AE bit definition Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 32/90] dmaengine: ep93xx: Always start from BASE0 Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 33/90] xen/privcmd: Support correctly 64KB page granularity when mapping memory Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 34/90] xen-netfront: do not cast grant table reference to signed short Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 35/90] xen-netfront: cast grant table reference first to type int Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 36/90] ext4: fix SEEK_HOLE Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 37/90] ext4: keep existing extra fields when inode expands Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 38/90] ext4: fix fdatasync(2) after extent manipulation operations Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 39/90] usb: gadget: f_mass_storage: Serialize wake and sleep execution Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 40/90] usb: chipidea: udc: fix NULL pointer dereference if udc_start failed Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 41/90] usb: chipidea: debug: check before accessing ci_role Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 42/90] staging/lustre/lov: remove set_fs() call from lov_getstripe() Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 43/90] iio: light: ltr501 Fix interchanged als/ps register field Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 44/90] iio: proximity: as3935: fix AS3935_INT mask Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 45/90] drivers: char: random: add get_random_long() Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 46/90] random: properly align get_random_int_hash Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 47/90] stackprotector: Increase the per-task stack canarys random range from 32 bits to 64 bits on 64-bit platforms Greg Kroah-Hartman
2017-06-12 15:41 ` [kernel-hardening] " Jann Horn
2017-06-12 15:45 ` Jann Horn
2017-06-12 15:25 ` [PATCH 4.4 48/90] cpufreq: cpufreq_register_driver() should return -ENODEV if init fails Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 49/90] target: Re-add check to reject control WRITEs with overflow data Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 50/90] drm/msm: Expose our reservation object when exporting a dmabuf Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 51/90] Input: elantech - add Fujitsu Lifebook E546/E557 to force crc_enabled Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 52/90] cpuset: consider dying css as offline Greg Kroah-Hartman
2017-06-12 15:25 ` [PATCH 4.4 53/90] fs: add i_blocksize() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 54/90] ufs: restore proper tail allocation Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 55/90] fix ufs_isblockset() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 56/90] ufs: restore maintaining ->i_blocks Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 57/90] ufs: set correct ->s_maxsize Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 58/90] ufs_extend_tail(): fix the braino in calling conventions of ufs_new_fragments() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 59/90] ufs_getfrag_block(): we only grab ->truncate_mutex on block creation path Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 60/90] cxl: Fix error path on bad ioctl Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 61/90] btrfs: use correct types for page indices in btrfs_page_exists_in_range Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 62/90] btrfs: fix memory leak in update_space_info failure path Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 63/90] KVM: arm/arm64: Handle possible NULL stage2 pud when ageing pages Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 64/90] scsi: qla2xxx: dont disable a not previously enabled PCI device Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 65/90] powerpc/eeh: Avoid use after free in eeh_handle_special_event() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 66/90] powerpc/numa: Fix percpu allocations to be NUMA aware Greg Kroah-Hartman
2017-07-28 13:53 ` Michal Hocko
2017-07-28 22:41 ` Greg Kroah-Hartman
2017-07-31 6:41 ` Michal Hocko
2017-08-03 19:29 ` Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 67/90] powerpc/hotplug-mem: Fix missing endian conversion of aa_index Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 68/90] perf/core: Drop kernel samples even though :u is specified Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 69/90] drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 70/90] drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 71/90] drm/vmwgfx: Make sure backup_handle is always valid Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 72/90] drm/nouveau/tmr: fully separate alarm execution/pending lists Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 73/90] ALSA: timer: Fix race between read and ioctl Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 74/90] ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 75/90] ASoC: Fix use-after-free at card unregistration Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 76/90] drivers: char: mem: Fix wraparound check to allow mappings up to the end Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 77/90] tty: Drop krefs for interrupted tty lock Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 78/90] serial: sh-sci: Fix panic when serial console and DMA are enabled Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 79/90] net: better skb->sender_cpu and skb->napi_id cohabitation Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 80/90] mm: consider memblock reservations for deferred memory initialization sizing Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 81/90] NFS: Ensure we revalidate attributes before using execute_ok() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 82/90] NFSv4: Dont perform cached access checks before weve OPENed the file Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 83/90] Make __xfs_xattr_put_listen preperly report errors Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 84/90] arm64: hw_breakpoint: fix watchpoint matching for tagged pointers Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 85/90] arm64: entry: improve data abort handling of " Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 86/90] RDMA/qib,hfi1: Fix MR reference count leak on write with immediate Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 87/90] tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 88/90] usercopy: Adjust tests to deal with SMAP/PAN Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 89/90] arm64: armv8_deprecated: ensure extension of addr Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 4.4 90/90] arm64: ensure extension of smp_store_release value Greg Kroah-Hartman
2017-06-12 21:53 ` [PATCH 4.4 00/90] 4.4.72-stable review Guenter Roeck
2017-06-13 0:45 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170612152557.364477179@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dhowells@redhat.com \
--cc=ebiggers@google.com \
--cc=james.l.morris@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).