[PATCH] KEYS: reject NULL restriction string when type is specified

[PATCH] KEYS: reject NULL restriction string when type is specified

[Eric Biggers]

From: Eric Biggers <ebiggers@google.com>

keyctl_restrict_keyring() allows through a NULL restriction when the
"type" is non-NULL, which causes a NULL pointer dereference in
asymmetric_lookup_restriction() when it calls strcmp() on the
restriction string.

But no key types actually use a "NULL restriction" to mean anything, so
update keyctl_restrict_keyring() to reject it with EINVAL.

Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 97d3aa0f3134 ("KEYS: Add a lookup_restriction function for the asymmetric key type")
Cc: <stable@vger.kernel.org> # v4.12+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 security/keys/keyctl.c | 24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 76d22f726ae4..1ffe60bb2845 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1588,9 +1588,8 @@ long keyctl_session_to_parent(void)
  * The caller must have Setattr permission to change keyring restrictions.
  *
  * The requested type name may be a NULL pointer to reject all attempts
- * to link to the keyring. If _type is non-NULL, _restriction can be
- * NULL or a pointer to a string describing the restriction. If _type is
- * NULL, _restriction must also be NULL.
+ * to link to the keyring.  In this case, _restriction must also be NULL.
+ * Otherwise, both _type and _restriction must be non-NULL.
  *
  * Returns 0 if successful.
  */
@@ -1598,7 +1597,6 @@ long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
 			     const char __user *_restriction)
 {
 	key_ref_t key_ref;
-	bool link_reject = !_type;
 	char type[32];
 	char *restriction = NULL;
 	long ret;
@@ -1607,31 +1605,29 @@ long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
 	if (IS_ERR(key_ref))
 		return PTR_ERR(key_ref);
 
+	ret = -EINVAL;
 	if (_type) {
-		ret = key_get_type_from_user(type, _type, sizeof(type));
-		if (ret < 0)
+		if (!_restriction)
 			goto error;
-	}
 
-	if (_restriction) {
-		if (!_type) {
-			ret = -EINVAL;
+		ret = key_get_type_from_user(type, _type, sizeof(type));
+		if (ret < 0)
 			goto error;
-		}
 
 		restriction = strndup_user(_restriction, PAGE_SIZE);
 		if (IS_ERR(restriction)) {
 			ret = PTR_ERR(restriction);
 			goto error;
 		}
+	} else {
+		if (_restriction)
+			goto error;
 	}
 
-	ret = keyring_restrict(key_ref, link_reject ? NULL : type, restriction);
+	ret = keyring_restrict(key_ref, _type ? type : NULL, restriction);
 	kfree(restriction);
-
 error:
 	key_ref_put(key_ref);
-
 	return ret;
 }
 
-- 
2.15.0.531.g2ccb3012c9-goog

[PATCH] KEYS: reject NULL restriction string when type is specified

[Eric Biggers]

From: Eric Biggers <ebiggers@google.com>

keyctl_restrict_keyring() allows through a NULL restriction when the
"type" is non-NULL, which causes a NULL pointer dereference in
asymmetric_lookup_restriction() when it calls strcmp() on the
restriction string.

But no key types actually use a "NULL restriction" to mean anything, so
update keyctl_restrict_keyring() to reject it with EINVAL.

Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 97d3aa0f3134 ("KEYS: Add a lookup_restriction function for the asymmetric key type")
Cc: <stable@vger.kernel.org> # v4.12+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 security/keys/keyctl.c | 24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 76d22f726ae4..1ffe60bb2845 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1588,9 +1588,8 @@ long keyctl_session_to_parent(void)
  * The caller must have Setattr permission to change keyring restrictions.
  *
  * The requested type name may be a NULL pointer to reject all attempts
- * to link to the keyring. If _type is non-NULL, _restriction can be
- * NULL or a pointer to a string describing the restriction. If _type is
- * NULL, _restriction must also be NULL.
+ * to link to the keyring.  In this case, _restriction must also be NULL.
+ * Otherwise, both _type and _restriction must be non-NULL.
  *
  * Returns 0 if successful.
  */
@@ -1598,7 +1597,6 @@ long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
 			     const char __user *_restriction)
 {
 	key_ref_t key_ref;
-	bool link_reject = !_type;
 	char type[32];
 	char *restriction = NULL;
 	long ret;
@@ -1607,31 +1605,29 @@ long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
 	if (IS_ERR(key_ref))
 		return PTR_ERR(key_ref);
 
+	ret = -EINVAL;
 	if (_type) {
-		ret = key_get_type_from_user(type, _type, sizeof(type));
-		if (ret < 0)
+		if (!_restriction)
 			goto error;
-	}
 
-	if (_restriction) {
-		if (!_type) {
-			ret = -EINVAL;
+		ret = key_get_type_from_user(type, _type, sizeof(type));
+		if (ret < 0)
 			goto error;
-		}
 
 		restriction = strndup_user(_restriction, PAGE_SIZE);
 		if (IS_ERR(restriction)) {
 			ret = PTR_ERR(restriction);
 			goto error;
 		}
+	} else {
+		if (_restriction)
+			goto error;
 	}
 
-	ret = keyring_restrict(key_ref, link_reject ? NULL : type, restriction);
+	ret = keyring_restrict(key_ref, _type ? type : NULL, restriction);
 	kfree(restriction);
-
 error:
 	key_ref_put(key_ref);
-
 	return ret;
 }
 
-- 
2.15.0.531.g2ccb3012c9-goog

[PATCH] KEYS: reject NULL restriction string when type is specified

[Eric Biggers]

From: Eric Biggers <ebiggers@google.com>

keyctl_restrict_keyring() allows through a NULL restriction when the
"type" is non-NULL, which causes a NULL pointer dereference in
asymmetric_lookup_restriction() when it calls strcmp() on the
restriction string.

But no key types actually use a "NULL restriction" to mean anything, so
update keyctl_restrict_keyring() to reject it with EINVAL.

Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 97d3aa0f3134 ("KEYS: Add a lookup_restriction function for the asymmetric key type")
Cc: <stable@vger.kernel.org> # v4.12+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 security/keys/keyctl.c | 24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 76d22f726ae4..1ffe60bb2845 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1588,9 +1588,8 @@ long keyctl_session_to_parent(void)
  * The caller must have Setattr permission to change keyring restrictions.
  *
  * The requested type name may be a NULL pointer to reject all attempts
- * to link to the keyring. If _type is non-NULL, _restriction can be
- * NULL or a pointer to a string describing the restriction. If _type is
- * NULL, _restriction must also be NULL.
+ * to link to the keyring.  In this case, _restriction must also be NULL.
+ * Otherwise, both _type and _restriction must be non-NULL.
  *
  * Returns 0 if successful.
  */
@@ -1598,7 +1597,6 @@ long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
 			     const char __user *_restriction)
 {
 	key_ref_t key_ref;
-	bool link_reject = !_type;
 	char type[32];
 	char *restriction = NULL;
 	long ret;
@@ -1607,31 +1605,29 @@ long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
 	if (IS_ERR(key_ref))
 		return PTR_ERR(key_ref);
 
+	ret = -EINVAL;
 	if (_type) {
-		ret = key_get_type_from_user(type, _type, sizeof(type));
-		if (ret < 0)
+		if (!_restriction)
 			goto error;
-	}
 
-	if (_restriction) {
-		if (!_type) {
-			ret = -EINVAL;
+		ret = key_get_type_from_user(type, _type, sizeof(type));
+		if (ret < 0)
 			goto error;
-		}
 
 		restriction = strndup_user(_restriction, PAGE_SIZE);
 		if (IS_ERR(restriction)) {
 			ret = PTR_ERR(restriction);
 			goto error;
 		}
+	} else {
+		if (_restriction)
+			goto error;
 	}
 
-	ret = keyring_restrict(key_ref, link_reject ? NULL : type, restriction);
+	ret = keyring_restrict(key_ref, _type ? type : NULL, restriction);
 	kfree(restriction);
-
 error:
 	key_ref_put(key_ref);
-
 	return ret;
 }
 
-- 
2.15.0.531.g2ccb3012c9-goog

Re: [PATCH] KEYS: reject NULL restriction string when type is specified

[Mat Martineau]

Eric,

On Thu, 30 Nov 2017, Eric Biggers wrote:

> From: Eric Biggers <ebiggers@google.com>
>
> keyctl_restrict_keyring() allows through a NULL restriction when the
> "type" is non-NULL, which causes a NULL pointer dereference in
> asymmetric_lookup_restriction() when it calls strcmp() on the
> restriction string.
>
> But no key types actually use a "NULL restriction" to mean anything, so
> update keyctl_restrict_keyring() to reject it with EINVAL.

Since this fixes the bug for the asymmetric key type and ensures that 
other key types won't make the same mistake, I agree this is the way to 
fix it. I did not find any issues in the patch.

Thanks,

Mat


> Reported-by: syzbot <syzkaller@googlegroups.com>
> Fixes: 97d3aa0f3134 ("KEYS: Add a lookup_restriction function for the asymmetric key type")
> Cc: <stable@vger.kernel.org> # v4.12+
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
> security/keys/keyctl.c | 24 ++++++++++--------------
> 1 file changed, 10 insertions(+), 14 deletions(-)
>
> diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
> index 76d22f726ae4..1ffe60bb2845 100644
> --- a/security/keys/keyctl.c
> +++ b/security/keys/keyctl.c
> @@ -1588,9 +1588,8 @@ long keyctl_session_to_parent(void)
>  * The caller must have Setattr permission to change keyring restrictions.
>  *
>  * The requested type name may be a NULL pointer to reject all attempts
> - * to link to the keyring. If _type is non-NULL, _restriction can be
> - * NULL or a pointer to a string describing the restriction. If _type is
> - * NULL, _restriction must also be NULL.
> + * to link to the keyring.  In this case, _restriction must also be NULL.
> + * Otherwise, both _type and _restriction must be non-NULL.
>  *
>  * Returns 0 if successful.
>  */
> @@ -1598,7 +1597,6 @@ long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
> 			     const char __user *_restriction)
> {
> 	key_ref_t key_ref;
> -	bool link_reject = !_type;
> 	char type[32];
> 	char *restriction = NULL;
> 	long ret;
> @@ -1607,31 +1605,29 @@ long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
> 	if (IS_ERR(key_ref))
> 		return PTR_ERR(key_ref);
>
> +	ret = -EINVAL;
> 	if (_type) {
> -		ret = key_get_type_from_user(type, _type, sizeof(type));
> -		if (ret < 0)
> +		if (!_restriction)
> 			goto error;
> -	}
>
> -	if (_restriction) {
> -		if (!_type) {
> -			ret = -EINVAL;
> +		ret = key_get_type_from_user(type, _type, sizeof(type));
> +		if (ret < 0)
> 			goto error;
> -		}
>
> 		restriction = strndup_user(_restriction, PAGE_SIZE);
> 		if (IS_ERR(restriction)) {
> 			ret = PTR_ERR(restriction);
> 			goto error;
> 		}
> +	} else {
> +		if (_restriction)
> +			goto error;
> 	}
>
> -	ret = keyring_restrict(key_ref, link_reject ? NULL : type, restriction);
> +	ret = keyring_restrict(key_ref, _type ? type : NULL, restriction);
> 	kfree(restriction);
> -
> error:
> 	key_ref_put(key_ref);
> -
> 	return ret;
> }
>
> -- 
> 2.15.0.531.g2ccb3012c9-goog
>
>

Re: [PATCH] KEYS: reject NULL restriction string when type is specified

[Mat Martineau]

Eric,

On Thu, 30 Nov 2017, Eric Biggers wrote:

> From: Eric Biggers <ebiggers@google.com>
>
> keyctl_restrict_keyring() allows through a NULL restriction when the
> "type" is non-NULL, which causes a NULL pointer dereference in
> asymmetric_lookup_restriction() when it calls strcmp() on the
> restriction string.
>
> But no key types actually use a "NULL restriction" to mean anything, so
> update keyctl_restrict_keyring() to reject it with EINVAL.

Since this fixes the bug for the asymmetric key type and ensures that 
other key types won't make the same mistake, I agree this is the way to 
fix it. I did not find any issues in the patch.

Thanks,

Mat


> Reported-by: syzbot <syzkaller@googlegroups.com>
> Fixes: 97d3aa0f3134 ("KEYS: Add a lookup_restriction function for the asymmetric key type")
> Cc: <stable@vger.kernel.org> # v4.12+
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
> security/keys/keyctl.c | 24 ++++++++++--------------
> 1 file changed, 10 insertions(+), 14 deletions(-)
>
> diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
> index 76d22f726ae4..1ffe60bb2845 100644
> --- a/security/keys/keyctl.c
> +++ b/security/keys/keyctl.c
> @@ -1588,9 +1588,8 @@ long keyctl_session_to_parent(void)
>  * The caller must have Setattr permission to change keyring restrictions.
>  *
>  * The requested type name may be a NULL pointer to reject all attempts
> - * to link to the keyring. If _type is non-NULL, _restriction can be
> - * NULL or a pointer to a string describing the restriction. If _type is
> - * NULL, _restriction must also be NULL.
> + * to link to the keyring.  In this case, _restriction must also be NULL.
> + * Otherwise, both _type and _restriction must be non-NULL.
>  *
>  * Returns 0 if successful.
>  */
> @@ -1598,7 +1597,6 @@ long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
> 			     const char __user *_restriction)
> {
> 	key_ref_t key_ref;
> -	bool link_reject = !_type;
> 	char type[32];
> 	char *restriction = NULL;
> 	long ret;
> @@ -1607,31 +1605,29 @@ long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
> 	if (IS_ERR(key_ref))
> 		return PTR_ERR(key_ref);
>
> +	ret = -EINVAL;
> 	if (_type) {
> -		ret = key_get_type_from_user(type, _type, sizeof(type));
> -		if (ret < 0)
> +		if (!_restriction)
> 			goto error;
> -	}
>
> -	if (_restriction) {
> -		if (!_type) {
> -			ret = -EINVAL;
> +		ret = key_get_type_from_user(type, _type, sizeof(type));
> +		if (ret < 0)
> 			goto error;
> -		}
>
> 		restriction = strndup_user(_restriction, PAGE_SIZE);
> 		if (IS_ERR(restriction)) {
> 			ret = PTR_ERR(restriction);
> 			goto error;
> 		}
> +	} else {
> +		if (_restriction)
> +			goto error;
> 	}
>
> -	ret = keyring_restrict(key_ref, link_reject ? NULL : type, restriction);
> +	ret = keyring_restrict(key_ref, _type ? type : NULL, restriction);
> 	kfree(restriction);
> -
> error:
> 	key_ref_put(key_ref);
> -
> 	return ret;
> }
>
> -- 
> 2.15.0.531.g2ccb3012c9-goog
>
>

--
Mat Martineau
Intel OTC

Re: [PATCH] KEYS: reject NULL restriction string when type is specified

[Mat Martineau]

Eric,

On Thu, 30 Nov 2017, Eric Biggers wrote:

> From: Eric Biggers <ebiggers@google.com>
>
> keyctl_restrict_keyring() allows through a NULL restriction when the
> "type" is non-NULL, which causes a NULL pointer dereference in
> asymmetric_lookup_restriction() when it calls strcmp() on the
> restriction string.
>
> But no key types actually use a "NULL restriction" to mean anything, so
> update keyctl_restrict_keyring() to reject it with EINVAL.

Since this fixes the bug for the asymmetric key type and ensures that 
other key types won't make the same mistake, I agree this is the way to 
fix it. I did not find any issues in the patch.

Thanks,

Mat


> Reported-by: syzbot <syzkaller@googlegroups.com>
> Fixes: 97d3aa0f3134 ("KEYS: Add a lookup_restriction function for the asymmetric key type")
> Cc: <stable@vger.kernel.org> # v4.12+
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
> security/keys/keyctl.c | 24 ++++++++++--------------
> 1 file changed, 10 insertions(+), 14 deletions(-)
>
> diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
> index 76d22f726ae4..1ffe60bb2845 100644
> --- a/security/keys/keyctl.c
> +++ b/security/keys/keyctl.c
> @@ -1588,9 +1588,8 @@ long keyctl_session_to_parent(void)
>  * The caller must have Setattr permission to change keyring restrictions.
>  *
>  * The requested type name may be a NULL pointer to reject all attempts
> - * to link to the keyring. If _type is non-NULL, _restriction can be
> - * NULL or a pointer to a string describing the restriction. If _type is
> - * NULL, _restriction must also be NULL.
> + * to link to the keyring.  In this case, _restriction must also be NULL.
> + * Otherwise, both _type and _restriction must be non-NULL.
>  *
>  * Returns 0 if successful.
>  */
> @@ -1598,7 +1597,6 @@ long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
> 			     const char __user *_restriction)
> {
> 	key_ref_t key_ref;
> -	bool link_reject = !_type;
> 	char type[32];
> 	char *restriction = NULL;
> 	long ret;
> @@ -1607,31 +1605,29 @@ long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
> 	if (IS_ERR(key_ref))
> 		return PTR_ERR(key_ref);
>
> +	ret = -EINVAL;
> 	if (_type) {
> -		ret = key_get_type_from_user(type, _type, sizeof(type));
> -		if (ret < 0)
> +		if (!_restriction)
> 			goto error;
> -	}
>
> -	if (_restriction) {
> -		if (!_type) {
> -			ret = -EINVAL;
> +		ret = key_get_type_from_user(type, _type, sizeof(type));
> +		if (ret < 0)
> 			goto error;
> -		}
>
> 		restriction = strndup_user(_restriction, PAGE_SIZE);
> 		if (IS_ERR(restriction)) {
> 			ret = PTR_ERR(restriction);
> 			goto error;
> 		}
> +	} else {
> +		if (_restriction)
> +			goto error;
> 	}
>
> -	ret = keyring_restrict(key_ref, link_reject ? NULL : type, restriction);
> +	ret = keyring_restrict(key_ref, _type ? type : NULL, restriction);
> 	kfree(restriction);
> -
> error:
> 	key_ref_put(key_ref);
> -
> 	return ret;
> }
>
> -- 
> 2.15.0.531.g2ccb3012c9-goog
>
>

--
Mat Martineau
Intel OTC

Re: [PATCH] KEYS: reject NULL restriction string when type is specified

[Mat Martineau]

Eric,

On Thu, 30 Nov 2017, Eric Biggers wrote:

> From: Eric Biggers <ebiggers@google.com>
>
> keyctl_restrict_keyring() allows through a NULL restriction when the
> "type" is non-NULL, which causes a NULL pointer dereference in
> asymmetric_lookup_restriction() when it calls strcmp() on the
> restriction string.
>
> But no key types actually use a "NULL restriction" to mean anything, so
> update keyctl_restrict_keyring() to reject it with EINVAL.

Since this fixes the bug for the asymmetric key type and ensures that 
other key types won't make the same mistake, I agree this is the way to 
fix it. I did not find any issues in the patch.

Thanks,

Mat


> Reported-by: syzbot <syzkaller@googlegroups.com>
> Fixes: 97d3aa0f3134 ("KEYS: Add a lookup_restriction function for the asymmetric key type")
> Cc: <stable@vger.kernel.org> # v4.12+
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
> security/keys/keyctl.c | 24 ++++++++++--------------
> 1 file changed, 10 insertions(+), 14 deletions(-)
>
> diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
> index 76d22f726ae4..1ffe60bb2845 100644
> --- a/security/keys/keyctl.c
> +++ b/security/keys/keyctl.c
> @@ -1588,9 +1588,8 @@ long keyctl_session_to_parent(void)
>  * The caller must have Setattr permission to change keyring restrictions.
>  *
>  * The requested type name may be a NULL pointer to reject all attempts
> - * to link to the keyring. If _type is non-NULL, _restriction can be
> - * NULL or a pointer to a string describing the restriction. If _type is
> - * NULL, _restriction must also be NULL.
> + * to link to the keyring.  In this case, _restriction must also be NULL.
> + * Otherwise, both _type and _restriction must be non-NULL.
>  *
>  * Returns 0 if successful.
>  */
> @@ -1598,7 +1597,6 @@ long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
> 			     const char __user *_restriction)
> {
> 	key_ref_t key_ref;
> -	bool link_reject = !_type;
> 	char type[32];
> 	char *restriction = NULL;
> 	long ret;
> @@ -1607,31 +1605,29 @@ long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
> 	if (IS_ERR(key_ref))
> 		return PTR_ERR(key_ref);
>
> +	ret = -EINVAL;
> 	if (_type) {
> -		ret = key_get_type_from_user(type, _type, sizeof(type));
> -		if (ret < 0)
> +		if (!_restriction)
> 			goto error;
> -	}
>
> -	if (_restriction) {
> -		if (!_type) {
> -			ret = -EINVAL;
> +		ret = key_get_type_from_user(type, _type, sizeof(type));
> +		if (ret < 0)
> 			goto error;
> -		}
>
> 		restriction = strndup_user(_restriction, PAGE_SIZE);
> 		if (IS_ERR(restriction)) {
> 			ret = PTR_ERR(restriction);
> 			goto error;
> 		}
> +	} else {
> +		if (_restriction)
> +			goto error;
> 	}
>
> -	ret = keyring_restrict(key_ref, link_reject ? NULL : type, restriction);
> +	ret = keyring_restrict(key_ref, _type ? type : NULL, restriction);
> 	kfree(restriction);
> -
> error:
> 	key_ref_put(key_ref);
> -
> 	return ret;
> }
>
> -- 
> 2.15.0.531.g2ccb3012c9-goog
>
>

--
Mat Martineau
Intel OTC

Re: [PATCH] KEYS: reject NULL restriction string when type is specified

[David Howells]

Mat Martineau <mathew.j.martineau@linux.intel.com> wrote:

> Since this fixes the bug for the asymmetric key type and ensures that other
> key types won't make the same mistake, I agree this is the way to fix it. I
> did not find any issues in the patch.

Can I put that down as a Reviewed-by?

David

Re: [PATCH] KEYS: reject NULL restriction string when type is specified

[David Howells]

Mat Martineau <mathew.j.martineau@linux.intel.com> wrote:

> Since this fixes the bug for the asymmetric key type and ensures that other
> key types won't make the same mistake, I agree this is the way to fix it. I
> did not find any issues in the patch.

Can I put that down as a Reviewed-by?

David

Re: [PATCH] KEYS: reject NULL restriction string when type is specified

[Mat Martineau]

On Fri, 8 Dec 2017, David Howells wrote:

> Mat Martineau <mathew.j.martineau@linux.intel.com> wrote:
>
>> Since this fixes the bug for the asymmetric key type and ensures that other
>> key types won't make the same mistake, I agree this is the way to fix it. I
>> did not find any issues in the patch.
>
> Can I put that down as a Reviewed-by?

Yes. Looks like I missed the window for your pull request, though - I'll 
be sure to add Reviewed-by in future reviews.

Re: [PATCH] KEYS: reject NULL restriction string when type is specified

[Mat Martineau]

On Fri, 8 Dec 2017, David Howells wrote:

> Mat Martineau <mathew.j.martineau@linux.intel.com> wrote:
>
>> Since this fixes the bug for the asymmetric key type and ensures that other
>> key types won't make the same mistake, I agree this is the way to fix it. I
>> did not find any issues in the patch.
>
> Can I put that down as a Reviewed-by?

Yes. Looks like I missed the window for your pull request, though - I'll 
be sure to add Reviewed-by in future reviews.

--
Mat Martineau
Intel OTC

Re: [PATCH] KEYS: reject NULL restriction string when type is specified

[Mat Martineau]

On Fri, 8 Dec 2017, David Howells wrote:

> Mat Martineau <mathew.j.martineau@linux.intel.com> wrote:
>
>> Since this fixes the bug for the asymmetric key type and ensures that other
>> key types won't make the same mistake, I agree this is the way to fix it. I
>> did not find any issues in the patch.
>
> Can I put that down as a Reviewed-by?

Yes. Looks like I missed the window for your pull request, though - I'll 
be sure to add Reviewed-by in future reviews.

--
Mat Martineau
Intel OTC

Re: [PATCH] KEYS: reject NULL restriction string when type is specified

[Mat Martineau]

On Fri, 8 Dec 2017, David Howells wrote:

> Mat Martineau <mathew.j.martineau@linux.intel.com> wrote:
>
>> Since this fixes the bug for the asymmetric key type and ensures that other
>> key types won't make the same mistake, I agree this is the way to fix it. I
>> did not find any issues in the patch.
>
> Can I put that down as a Reviewed-by?

Yes. Looks like I missed the window for your pull request, though - I'll 
be sure to add Reviewed-by in future reviews.

--
Mat Martineau
Intel OTC

Re: general protection fault in strcmp

[Eric Biggers]

On Thu, Nov 30, 2017 at 12:44:01PM -0800, syzbot wrote:
> syzbot will keep track of this bug report.
> Once a fix for this bug is committed, please reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new
> bug report.
> Note: all commands must start from beginning of the line in the email body.
> 

#syz fix: KEYS: reject NULL restriction string when type is specified

Re: general protection fault in strcmp

[Eric Biggers]

On Thu, Nov 30, 2017 at 12:44:01PM -0800, syzbot wrote:
> syzbot will keep track of this bug report.
> Once a fix for this bug is committed, please reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new
> bug report.
> Note: all commands must start from beginning of the line in the email body.
> 

#syz fix: KEYS: reject NULL restriction string when type is specified

Re: general protection fault in strcmp

[Eric Biggers]

On Thu, Nov 30, 2017 at 12:44:01PM -0800, syzbot wrote:
> syzbot will keep track of this bug report.
> Once a fix for this bug is committed, please reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new
> bug report.
> Note: all commands must start from beginning of the line in the email body.
> 

#syz fix: KEYS: reject NULL restriction string when type is specified