From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, James Morris <james.l.morris@oracle.com>,
Michael Halcrow <mhalcrow@google.com>,
Eric Biggers <ebiggers@google.com>,
David Howells <dhowells@redhat.com>
Subject: [PATCH 4.9 23/23] ecryptfs: fix dereference of NULL user_key_payload
Date: Tue, 31 Oct 2017 10:55:47 +0100 [thread overview]
Message-ID: <20171031095518.448777786@linuxfoundation.org> (raw)
In-Reply-To: <20171031095517.400573240@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit f66665c09ab489a11ca490d6a82df57cfc1bea3e upstream.
In eCryptfs, we failed to verify that the authentication token keys are
not revoked before dereferencing their payloads, which is problematic
because the payload of a revoked key is NULL. request_key() *does* skip
revoked keys, but there is still a window where the key can be revoked
before we acquire the key semaphore.
Fix it by updating ecryptfs_get_key_payload_data() to return
-EKEYREVOKED if the key payload is NULL. For completeness we check this
for "encrypted" keys as well as "user" keys, although encrypted keys
cannot be revoked currently.
Alternatively we could use key_validate(), but since we'll also need to
fix ecryptfs_get_key_payload_data() to validate the payload length, it
seems appropriate to just check the payload pointer.
Fixes: 237fead61998 ("[PATCH] ecryptfs: fs/Makefile and fs/Kconfig")
Reviewed-by: James Morris <james.l.morris@oracle.com>
Cc: Michael Halcrow <mhalcrow@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ecryptfs/ecryptfs_kernel.h | 24 +++++++++++++++++-------
fs/ecryptfs/keystore.c | 9 ++++++++-
2 files changed, 25 insertions(+), 8 deletions(-)
--- a/fs/ecryptfs/ecryptfs_kernel.h
+++ b/fs/ecryptfs/ecryptfs_kernel.h
@@ -84,11 +84,16 @@ struct ecryptfs_page_crypt_context {
static inline struct ecryptfs_auth_tok *
ecryptfs_get_encrypted_key_payload_data(struct key *key)
{
- if (key->type == &key_type_encrypted)
- return (struct ecryptfs_auth_tok *)
- (&((struct encrypted_key_payload *)key->payload.data[0])->payload_data);
- else
+ struct encrypted_key_payload *payload;
+
+ if (key->type != &key_type_encrypted)
return NULL;
+
+ payload = key->payload.data[0];
+ if (!payload)
+ return ERR_PTR(-EKEYREVOKED);
+
+ return (struct ecryptfs_auth_tok *)payload->payload_data;
}
static inline struct key *ecryptfs_get_encrypted_key(char *sig)
@@ -114,12 +119,17 @@ static inline struct ecryptfs_auth_tok *
ecryptfs_get_key_payload_data(struct key *key)
{
struct ecryptfs_auth_tok *auth_tok;
+ const struct user_key_payload *ukp;
auth_tok = ecryptfs_get_encrypted_key_payload_data(key);
- if (!auth_tok)
- return (struct ecryptfs_auth_tok *)user_key_payload(key)->data;
- else
+ if (auth_tok)
return auth_tok;
+
+ ukp = user_key_payload(key);
+ if (!ukp)
+ return ERR_PTR(-EKEYREVOKED);
+
+ return (struct ecryptfs_auth_tok *)ukp->data;
}
#define ECRYPTFS_MAX_KEYSET_SIZE 1024
--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c
@@ -459,7 +459,8 @@ out:
* @auth_tok_key: key containing the authentication token
* @auth_tok: authentication token
*
- * Returns zero on valid auth tok; -EINVAL otherwise
+ * Returns zero on valid auth tok; -EINVAL if the payload is invalid; or
+ * -EKEYREVOKED if the key was revoked before we acquired its semaphore.
*/
static int
ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key,
@@ -468,6 +469,12 @@ ecryptfs_verify_auth_tok_from_key(struct
int rc = 0;
(*auth_tok) = ecryptfs_get_key_payload_data(auth_tok_key);
+ if (IS_ERR(*auth_tok)) {
+ rc = PTR_ERR(*auth_tok);
+ *auth_tok = NULL;
+ goto out;
+ }
+
if (ecryptfs_verify_version((*auth_tok)->version)) {
printk(KERN_ERR "Data structure version mismatch. Userspace "
"tools must match eCryptfs kernel module with major "
next prev parent reply other threads:[~2017-10-31 9:57 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-31 9:55 [PATCH 4.9 00/23] 4.9.60-stable review Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 01/23] workqueue: replace pool->manager_arb mutex with a flag Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 02/23] ALSA: hda/realtek - Add support for ALC236/ALC3204 Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 03/23] ALSA: hda - fix headset mic problem for Dell machines with alc236 Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 04/23] ceph: unlock dangling spinlock in try_flush_caps() Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 05/23] usb: xhci: Handle error condition in xhci_stop_device() Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 06/23] KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 07/23] spi: uapi: spidev: add missing ioctl header Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 08/23] spi: bcm-qspi: Fix use after free in bcm_qspi_probe() in error path Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 09/23] fuse: fix READDIRPLUS skipping an entry Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 10/23] xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap() Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 11/23] Input: elan_i2c - add ELAN0611 to the ACPI table Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 12/23] Input: gtco - fix potential out-of-bound access Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 13/23] assoc_array: Fix a buggy node-splitting case Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 14/23] scsi: zfcp: fix erp_action use-before-initialize in REC action trace Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 15/23] scsi: sg: Re-fix off by one in sg_fill_request_table() Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 16/23] drm/amd/powerplay: fix uninitialized variable Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 17/23] can: sun4i: fix loopback mode Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 18/23] can: kvaser_usb: Correct return value in printout Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 19/23] can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 20/23] cfg80211: fix connect/disconnect edge cases Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 21/23] ipsec: Fix aborted xfrm policy dump crash Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 22/23] regulator: fan53555: fix I2C device ids Greg Kroah-Hartman
2017-10-31 9:55 ` Greg Kroah-Hartman [this message]
[not found] ` <59f8951e.87d8500a.cbc53.9419@mx.google.com>
2017-10-31 16:52 ` [PATCH 4.9 00/23] 4.9.60-stable review Greg Kroah-Hartman
2017-10-31 17:01 ` Mark Brown
2017-10-31 17:19 ` Guenter Roeck
2017-10-31 20:08 ` Shuah Khan
2017-10-31 20:59 ` Tom Gall
2017-11-01 15:21 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171031095518.448777786@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dhowells@redhat.com \
--cc=ebiggers@google.com \
--cc=james.l.morris@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhalcrow@google.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).