From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, "Igor Redko" <redkoi@virtuozzo.com>,
"David Howells" <dhowells@redhat.com>,
"Andrey Ryabinin" <aryabinin@virtuozzo.com>,
"idl3r" <idler1984@gmail.com>
Subject: [PATCH 3.2 4/4] keys: Guard against null match function in keyring_search_aux()
Date: Sat, 01 Apr 2017 14:17:53 +0100 [thread overview]
Message-ID: <lsq.1491052673.768763980@decadent.org.uk> (raw)
In-Reply-To: <lsq.1491052673.217031175@decadent.org.uk>
3.2.88-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
The "dead" key type has no match operation, and a search for keys of
this type can cause a null dereference in keyring_search_aux().
keyring_search() has a check for this, but request_keyring_and_link()
does not. Move the check into keyring_search_aux(), covering both of
them.
This was fixed upstream by commit c06cfb08b88d ("KEYS: Remove
key_type::match in favour of overriding default by match_preparse"),
part of a series of large changes that are not suitable for
backporting.
CVE-2017-2647 / CVE-2017-6951
Reported-by: Igor Redko <redkoi@virtuozzo.com>
Reported-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2647
Reported-by: idl3r <idler1984@gmail.com>
References: https://www.spinics.net/lists/keyrings/msg01845.html
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: David Howells <dhowells@redhat.com>
---
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -336,6 +336,9 @@ key_ref_t keyring_search_aux(key_ref_t k
if (keyring->type != &key_type_keyring)
goto error;
+ if (!match)
+ return ERR_PTR(-ENOKEY);
+
rcu_read_lock();
now = current_kernel_time();
@@ -484,9 +487,6 @@ key_ref_t keyring_search(key_ref_t keyri
struct key_type *type,
const char *description)
{
- if (!type->match)
- return ERR_PTR(-ENOKEY);
-
return keyring_search_aux(keyring, current->cred,
type, description, type->match, false);
}
next prev parent reply other threads:[~2017-04-01 13:27 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-01 13:17 [PATCH 3.2 0/4] 3.2.88-rc1 review Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.2 3/4] l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.2 1/4] ipv4: keep skb->dst around in presence of IP options Ben Hutchings
2017-04-01 13:17 ` Ben Hutchings [this message]
2017-04-01 13:17 ` [PATCH 3.2 2/4] mm/huge_memory.c: fix up "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp" backport Ben Hutchings
2017-04-01 17:24 ` [PATCH 3.2 0/4] 3.2.88-rc1 review Guenter Roeck
2017-04-01 22:40 ` Ben Hutchings
2017-04-02 3:03 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1491052673.768763980@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=aryabinin@virtuozzo.com \
--cc=dhowells@redhat.com \
--cc=idler1984@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=redkoi@virtuozzo.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.