From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, James Morris <james.l.morris@oracle.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
David Safford <safford@us.ibm.com>,
Eric Biggers <ebiggers@google.com>,
David Howells <dhowells@redhat.com>
Subject: [PATCH 3.18 14/20] KEYS: encrypted: fix dereference of NULL user_key_payload
Date: Tue, 24 Oct 2017 14:57:41 +0200 [thread overview]
Message-ID: <20171024125652.458740330@linuxfoundation.org> (raw)
In-Reply-To: <20171024125651.887979850@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 13923d0865ca96312197962522e88bc0aedccd74 upstream.
A key of type "encrypted" references a "master key" which is used to
encrypt and decrypt the encrypted key's payload. However, when we
accessed the master key's payload, we failed to handle the case where
the master key has been revoked, which sets the payload pointer to NULL.
Note that request_key() *does* skip revoked keys, but there is still a
window where the key can be revoked before we acquire its semaphore.
Fix it by checking for a NULL payload, treating it like a key which was
already revoked at the time it was requested.
This was an issue for master keys of type "user" only. Master keys can
also be of type "trusted", but those cannot be revoked.
Fixes: 7e70cb497850 ("keys: add new key-type encrypted")
Reviewed-by: James Morris <james.l.morris@oracle.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: David Safford <safford@us.ibm.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/keys/encrypted-keys/encrypted.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -315,6 +315,13 @@ static struct key *request_user_key(cons
down_read(&ukey->sem);
upayload = ukey->payload.data;
+ if (!upayload) {
+ /* key was revoked before we acquired its semaphore */
+ up_read(&ukey->sem);
+ key_put(ukey);
+ ukey = ERR_PTR(-EKEYREVOKED);
+ goto error;
+ }
*master_key = upayload->data;
*master_keylen = upayload->datalen;
error:
next prev parent reply other threads:[~2017-10-24 12:58 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-24 12:57 [PATCH 3.18 00/20] 3.18.78-stable review Greg Kroah-Hartman
2017-10-24 12:57 ` [PATCH 3.18 01/20] USB: devio: Revert "USB: devio: Dont corrupt user memory" Greg Kroah-Hartman
2017-10-24 12:57 ` [PATCH 3.18 02/20] USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() Greg Kroah-Hartman
2017-10-24 12:57 ` [PATCH 3.18 03/20] USB: serial: metro-usb: add MS7820 device id Greg Kroah-Hartman
2017-10-24 12:57 ` [PATCH 3.18 04/20] usb: cdc_acm: Add quirk for Elatec TWN3 Greg Kroah-Hartman
2017-10-24 12:57 ` [PATCH 3.18 06/20] usb: hub: Allow reset retry for USB2 devices on connect bounce Greg Kroah-Hartman
2017-10-24 12:57 ` [PATCH 3.18 07/20] can: gs_usb: fix busy loop if no more TX context is available Greg Kroah-Hartman
2017-10-24 12:57 ` [PATCH 3.18 09/20] ALSA: seq: Enable use locking in all configurations Greg Kroah-Hartman
2017-10-24 12:57 ` [PATCH 3.18 10/20] ALSA: hda: Remove superfluous - added by printk conversion Greg Kroah-Hartman
2017-10-24 12:57 ` [PATCH 3.18 11/20] i2c: ismt: Separate I2C block read from SMBus block read Greg Kroah-Hartman
2017-10-24 12:57 ` [PATCH 3.18 12/20] brcmsmac: make some local variables static const to reduce stack size Greg Kroah-Hartman
2017-10-24 12:57 ` [PATCH 3.18 13/20] bus: mbus: fix window size calculation for 4GB windows Greg Kroah-Hartman
2017-10-24 12:57 ` Greg Kroah-Hartman [this message]
2017-10-24 12:57 ` [PATCH 3.18 15/20] lib/digsig: fix dereference of NULL user_key_payload Greg Kroah-Hartman
2017-10-24 12:57 ` [PATCH 3.18 16/20] KEYS: dont let add_key() update an uninstantiated key Greg Kroah-Hartman
2017-10-24 12:57 ` [PATCH 3.18 18/20] parisc: Avoid trashing sr2 and sr3 in LWS code Greg Kroah-Hartman
2017-10-24 12:57 ` [PATCH 3.18 19/20] parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels Greg Kroah-Hartman
2017-10-24 12:57 ` [PATCH 3.18 20/20] af_packet: dont pass empty blocks for PACKET_V3 Greg Kroah-Hartman
2017-10-24 21:27 ` [PATCH 3.18 00/20] 3.18.78-stable review Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171024125652.458740330@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dhowells@redhat.com \
--cc=ebiggers@google.com \
--cc=james.l.morris@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=safford@us.ibm.com \
--cc=stable@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).