Re: [PATCH] KEYS: fix length validation in keyctl_pkey_params_get_2()

From: Jarkko Sakkinen <jarkko@kernel.org>
To: Eric Biggers <ebiggers@kernel.org>
Cc: keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>,
	linux-crypto@vger.kernel.org,
	Marcel Holtmann <marcel@holtmann.org>,
	Denis Kenzior <denkenz@gmail.com>,
	stable@vger.kernel.org
Subject: Re: [PATCH] KEYS: fix length validation in keyctl_pkey_params_get_2()
Date: Sat, 15 Jan 2022 20:45:03 +0200	[thread overview]
Message-ID: <YeMWLyceg4xcwShF@iki.fi> (raw)
In-Reply-To: <20220113200454.72609-1-ebiggers@kernel.org>

On Thu, Jan 13, 2022 at 12:04:54PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> In many cases, keyctl_pkey_params_get_2() is validating the user buffer
> lengths against the wrong algorithm properties.  Fix it to check against
> the correct properties.
> 
> Probably this wasn't noticed before because for all asymmetric keys of
> the "public_key" subtype, max_data_size == max_sig_size == max_enc_size
> == max_dec_size.  However, this isn't necessarily true for the
> "asym_tpm" subtype (it should be, but it's not strictly validated).  Of
> course, future key types could have different values as well.

With a quick look, asym_tpm is TPM 1.x only, which only has 2048-bit RSA
keys.

> Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
> Cc: <stable@vger.kernel.org> # v4.20+
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  security/keys/keyctl_pkey.c | 14 +++++++++++---
>  1 file changed, 11 insertions(+), 3 deletions(-)
> 
> diff --git a/security/keys/keyctl_pkey.c b/security/keys/keyctl_pkey.c
> index 5de0d599a274..97bc27bbf079 100644
> --- a/security/keys/keyctl_pkey.c
> +++ b/security/keys/keyctl_pkey.c
> @@ -135,15 +135,23 @@ static int keyctl_pkey_params_get_2(const struct keyctl_pkey_params __user *_par
>  
>  	switch (op) {
>  	case KEYCTL_PKEY_ENCRYPT:
> +		if (uparams.in_len  > info.max_dec_size ||
> +		    uparams.out_len > info.max_enc_size)
> +			return -EINVAL;
> +		break;
>  	case KEYCTL_PKEY_DECRYPT:
>  		if (uparams.in_len  > info.max_enc_size ||
>  		    uparams.out_len > info.max_dec_size)
>  			return -EINVAL;
>  		break;
>  	case KEYCTL_PKEY_SIGN:
> +		if (uparams.in_len  > info.max_data_size ||
> +		    uparams.out_len > info.max_sig_size)
> +			return -EINVAL;
> +		break;
>  	case KEYCTL_PKEY_VERIFY:
> -		if (uparams.in_len  > info.max_sig_size ||
> -		    uparams.out_len > info.max_data_size)
> +		if (uparams.in_len  > info.max_data_size ||
> +		    uparams.in2_len > info.max_sig_size)
>  			return -EINVAL;
>  		break;
>  	default:
> @@ -151,7 +159,7 @@ static int keyctl_pkey_params_get_2(const struct keyctl_pkey_params __user *_par
>  	}
>  
>  	params->in_len  = uparams.in_len;
> -	params->out_len = uparams.out_len;
> +	params->out_len = uparams.out_len; /* Note: same as in2_len */
>  	return 0;
>  }
>  
> 
> base-commit: feb7a43de5ef625ad74097d8fd3481d5dbc06a59
> -- 
> 2.34.1
> 

/Jarkko