From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752319AbdDAN1Z (ORCPT <rfc822;w@1wt.eu>);
        Sat, 1 Apr 2017 09:27:25 -0400
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:36106 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1751635AbdDANW1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 1 Apr 2017 09:22:27 -0400
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC: akpm@linux-foundation.org, "Igor Redko" <redkoi@virtuozzo.com>,
        "David Howells" <dhowells@redhat.com>,
        "Andrey Ryabinin" <aryabinin@virtuozzo.com>,
        "idl3r" <idler1984@gmail.com>
Date: Sat, 01 Apr 2017 14:17:53 +0100
Message-ID: <lsq.1491052673.768763980@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
Subject: [PATCH 3.2 4/4] keys: Guard against null match function in
 keyring_search_aux()
In-Reply-To: <lsq.1491052673.217031175@decadent.org.uk>
X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.2.88-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

The "dead" key type has no match operation, and a search for keys of
this type can cause a null dereference in keyring_search_aux().
keyring_search() has a check for this, but request_keyring_and_link()
does not.  Move the check into keyring_search_aux(), covering both of
them.

This was fixed upstream by commit c06cfb08b88d ("KEYS: Remove
key_type::match in favour of overriding default by match_preparse"),
part of a series of large changes that are not suitable for
backporting.

CVE-2017-2647 / CVE-2017-6951

Reported-by: Igor Redko <redkoi@virtuozzo.com>
Reported-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2647
Reported-by: idl3r <idler1984@gmail.com>
References: https://www.spinics.net/lists/keyrings/msg01845.html
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: David Howells <dhowells@redhat.com>
---
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -336,6 +336,9 @@ key_ref_t keyring_search_aux(key_ref_t k
 	if (keyring->type != &key_type_keyring)
 		goto error;
 
+	if (!match)
+		return ERR_PTR(-ENOKEY);
+
 	rcu_read_lock();
 
 	now = current_kernel_time();
@@ -484,9 +487,6 @@ key_ref_t keyring_search(key_ref_t keyri
 			 struct key_type *type,
 			 const char *description)
 {
-	if (!type->match)
-		return ERR_PTR(-ENOKEY);
-
 	return keyring_search_aux(keyring, current->cred,
 				  type, description, type->match, false);
 }