From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mimi Zohar <zohar@linux.vnet.ibm.com>,
Eric Biggers <ebiggers@google.com>,
David Howells <dhowells@redhat.com>,
James Morris <james.l.morris@oracle.com>,
Jin Qian <jinqian@google.com>
Subject: [PATCH 4.4 034/108] KEYS: encrypted: fix buffer overread in valid_master_desc()
Date: Thu, 15 Feb 2018 16:16:31 +0100 [thread overview]
Message-ID: <20180215151227.176503087@linuxfoundation.org> (raw)
In-Reply-To: <20180215151222.267507937@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 794b4bc292f5d31739d89c0202c54e7dc9bc3add upstream.
With the 'encrypted' key type it was possible for userspace to provide a
data blob ending with a master key description shorter than expected,
e.g. 'keyctl add encrypted desc "new x" @s'. When validating such a
master key description, validate_master_desc() could read beyond the end
of the buffer. Fix this by using strncmp() instead of memcmp(). [Also
clean up the code to deduplicate some logic.]
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/keys/encrypted-keys/encrypted.c | 31 +++++++++++++++----------------
1 file changed, 15 insertions(+), 16 deletions(-)
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -141,23 +141,22 @@ static int valid_ecryptfs_desc(const cha
*/
static int valid_master_desc(const char *new_desc, const char *orig_desc)
{
- if (!memcmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) {
- if (strlen(new_desc) == KEY_TRUSTED_PREFIX_LEN)
- goto out;
- if (orig_desc)
- if (memcmp(new_desc, orig_desc, KEY_TRUSTED_PREFIX_LEN))
- goto out;
- } else if (!memcmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) {
- if (strlen(new_desc) == KEY_USER_PREFIX_LEN)
- goto out;
- if (orig_desc)
- if (memcmp(new_desc, orig_desc, KEY_USER_PREFIX_LEN))
- goto out;
- } else
- goto out;
+ int prefix_len;
+
+ if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN))
+ prefix_len = KEY_TRUSTED_PREFIX_LEN;
+ else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN))
+ prefix_len = KEY_USER_PREFIX_LEN;
+ else
+ return -EINVAL;
+
+ if (!new_desc[prefix_len])
+ return -EINVAL;
+
+ if (orig_desc && strncmp(new_desc, orig_desc, prefix_len))
+ return -EINVAL;
+
return 0;
-out:
- return -EINVAL;
}
/*
next prev parent reply other threads:[~2018-02-15 15:21 UTC|newest]
Thread overview: 133+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-15 15:15 [PATCH 4.4 000/108] 4.4.116-stable review Greg Kroah-Hartman
2018-02-15 15:15 ` [PATCH 4.4 001/108] powerpc/bpf/jit: Disable classic BPF JIT on ppc64le Greg Kroah-Hartman
2018-02-15 15:15 ` [PATCH 4.4 002/108] powerpc/64: Fix flush_(d|i)cache_range() called from modules Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 003/108] powerpc: Fix VSX enabling/flushing to also test MSR_FP and MSR_VEC Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 004/108] powerpc: Simplify module TOC handling Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 005/108] powerpc/pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 006/108] powerpc/64: Add macros for annotating the destination of rfid/hrfid Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 007/108] powerpc/64s: Simple RFI macro conversions Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 008/108] powerpc/64: Convert fast_exception_return to use RFI_TO_USER/KERNEL Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 009/108] powerpc/64: Convert the syscall exit path " Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 010/108] powerpc/64s: Convert slb_miss_common " Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 011/108] powerpc/64s: Add support for RFI flush of L1-D cache Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 012/108] powerpc/64s: Support disabling RFI flush with no_rfi_flush and nopti Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 013/108] powerpc/pseries: Query hypervisor for RFI flush settings Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 014/108] powerpc/powernv: Check device-tree " Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 015/108] powerpc/64s: Wire up cpu_show_meltdown() Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 016/108] powerpc/64s: Allow control of RFI flush via debugfs Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 017/108] ASoC: pcm512x: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 018/108] usbip: vhci_hcd: clear just the USB_PORT_STAT_POWER bit Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 019/108] usbip: fix 3eee23c3ec14 tcp_socket address still in the status file Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 020/108] net: cdc_ncm: initialize drvflags before usage Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 021/108] ASoC: simple-card: Fix misleading error message Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 022/108] ASoC: rsnd: dont call free_irq() on Parent SSI Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 023/108] ASoC: rsnd: avoid duplicate free_irq() Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 024/108] drm: rcar-du: Use the VBK interrupt for vblank events Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 025/108] drm: rcar-du: Fix race condition when disabling planes at CRTC stop Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 026/108] x86/asm: Fix inline asm call constraints for GCC 4.4 Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 027/108] ip6mr: fix stale iterator Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 028/108] net: igmp: add a missing rcu locking section Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 029/108] qlcnic: fix deadlock bug Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 030/108] r8169: fix RTL8168EP take too long to complete driver initialization Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 031/108] tcp: release sk_frag.page in tcp_disconnect Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 032/108] vhost_net: stop device during reset owner Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 033/108] media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE Greg Kroah-Hartman
2018-02-15 15:16 ` Greg Kroah-Hartman [this message]
2018-02-15 15:16 ` [PATCH 4.4 035/108] dont put symlink bodies in pagecache into highmem Greg Kroah-Hartman
2018-03-05 0:37 ` Ben Hutchings
2018-03-05 6:02 ` Greg Kroah-Hartman
2018-03-05 20:33 ` Eric Biggers
2018-02-15 15:16 ` [PATCH 4.4 036/108] crypto: tcrypt - fix S/G table for test_aead_speed() Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 037/108] x86/microcode/AMD: Do not load when running on a hypervisor Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 038/108] x86/microcode: Do the family check first Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 039/108] powerpc/pseries: include linux/types.h in asm/hvcall.h Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 040/108] cifs: Fix missing put_xid in cifs_file_strict_mmap Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 041/108] cifs: Fix autonegotiate security settings mismatch Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 042/108] CIFS: zero sensitive data when freeing Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 043/108] dmaengine: dmatest: fix container_of member in dmatest_callback Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 044/108] x86/kaiser: fix build error with KASAN && !FUNCTION_GRAPH_TRACER Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 045/108] kaiser: fix compile error without vsyscall Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 046/108] netfilter: nf_queue: Make the queue_handler pernet Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 047/108] posix-timer: Properly check sigevent->sigev_notify Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 048/108] usb: gadget: uvc: Missing files for configfs interface Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 049/108] sched/rt: Use container_of() to get root domain in rto_push_irq_work_func() Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 050/108] sched/rt: Up the root domain ref count when passing it around via IPIs Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 051/108] dccp: CVE-2017-8824: use-after-free in DCCP code Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 052/108] media: dvb-usb-v2: lmedm04: Improve logic checking of warm start Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 053/108] media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 054/108] mtd: cfi: convert inline functions to macros Greg Kroah-Hartman
2018-03-05 2:22 ` Ben Hutchings
2018-03-07 7:14 ` Boris Brezillon
2018-02-15 15:16 ` [PATCH 4.4 055/108] mtd: nand: brcmnand: Disable prefetch by default Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 056/108] mtd: nand: Fix nand_do_read_oob() return value Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 057/108] mtd: nand: sunxi: Fix ECC strength choice Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 058/108] ubi: block: Fix locking for idr_alloc/idr_remove Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 059/108] nfs/pnfs: fix nfs_direct_req ref leak when i/o falls back to the mds Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 060/108] NFS: Add a cond_resched() to nfs_commit_release_pages() Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 061/108] NFS: commit direct writes even if they fail partially Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 4.4 062/108] NFS: reject request for id_legacy key without auxdata Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 063/108] kernfs: fix regression in kernfs_fop_write caused by wrong type Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 064/108] ahci: Annotate PCI ids for mobile Intel chipsets as such Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 065/108] ahci: Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 066/108] ahci: Add Intel Cannon Lake PCH-H PCI ID Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 067/108] crypto: hash - introduce crypto_hash_alg_has_setkey() Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 068/108] crypto: cryptd - pass through absence of ->setkey() Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 069/108] crypto: poly1305 - remove ->setkey() method Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 070/108] nsfs: mark dentry with DCACHE_RCUACCESS Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 071/108] media: v4l2-ioctl.c: dont copy back the result for -ENOTTY Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 072/108] vb2: V4L2_BUF_FLAG_DONE is set after DQBUF Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 073/108] media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 074/108] media: v4l2-compat-ioctl32.c: fix the indentation Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 075/108] media: v4l2-compat-ioctl32.c: move helper functions to __get/put_v4l2_format32 Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 076/108] media: v4l2-compat-ioctl32.c: avoid sizeof(type) Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 077/108] media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 078/108] media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 079/108] media: v4l2-compat-ioctl32.c: make ctrl_is_pointer work for subdevs Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 080/108] media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 081/108] media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 082/108] media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 083/108] media: v4l2-compat-ioctl32.c: dont copy back the result for certain errors Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 084/108] media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 085/108] crypto: caam - fix endless loop when DECO acquire fails Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 086/108] arm: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 087/108] KVM: nVMX: Fix races when sending nested PI while dest enters/leaves L2 Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 088/108] watchdog: imx2_wdt: restore previous timeout after suspend+resume Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 089/108] media: ts2020: avoid integer overflows on 32 bit machines Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 090/108] media: cxusb, dib0700: ignore XC2028_I2C_FLUSH Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 091/108] kernel/async.c: revert "async: simplify lowest_in_progress()" Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 092/108] HID: quirks: Fix keyboard + touchpad on Toshiba Click Mini not working Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 093/108] Bluetooth: btsdio: Do not bind to non-removable BCM43341 Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 094/108] Revert "Bluetooth: btusb: fix QCA Rome suspend/resume" Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 095/108] Bluetooth: btusb: Restore QCA Rome suspend/resume fix with a "rewritten" version Greg Kroah-Hartman
2018-02-16 2:31 ` Brian Norris
2018-02-16 6:48 ` Greg Kroah-Hartman
2018-02-16 18:10 ` Brian Norris
2018-02-16 18:52 ` Guenter Roeck
2018-02-17 13:43 ` Greg Kroah-Hartman
2018-02-17 15:12 ` Guenter Roeck
2018-02-17 15:24 ` Greg Kroah-Hartman
2018-02-28 19:39 ` Brian Norris
2018-03-22 17:52 ` Greg Kroah-Hartman
2018-03-22 18:56 ` Guenter Roeck
2018-03-22 20:25 ` Greg Kroah-Hartman
2018-02-16 18:54 ` Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 096/108] signal/openrisc: Fix do_unaligned_access to send the proper signal Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 097/108] signal/sh: Ensure si_signo is initialized in do_divide_error Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 098/108] alpha: fix crash if pthread_create races with signal delivery Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 099/108] alpha: fix reboot on Avanti platform Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 100/108] xtensa: fix futex_atomic_cmpxchg_inatomic Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 101/108] EDAC, octeon: Fix an uninitialized variable warning Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 102/108] pktcdvd: Fix pkt_setup_dev() error path Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 103/108] btrfs: Handle btrfs_set_extent_delalloc failure in fixup worker Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 104/108] nvme: Fix managing degraded controllers Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 105/108] ACPI: sbshc: remove raw pointer from printk() message Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 106/108] ovl: fix failure to fsync lower dir Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 107/108] mn10300/misalignment: Use SIGSEGV SEGV_MAPERR to report a failed user copy Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 4.4 108/108] ftrace: Remove incorrect setting of glob search field Greg Kroah-Hartman
2018-02-15 21:56 ` [PATCH 4.4 000/108] 4.4.116-stable review kernelci.org bot
2018-02-15 22:00 ` Shuah Khan
2018-02-16 2:45 ` Nathan Chancellor
2018-02-16 6:51 ` Greg Kroah-Hartman
2018-02-16 6:00 ` Naresh Kamboju
2018-02-16 14:12 ` Guenter Roeck
2018-02-16 19:12 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180215151227.176503087@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dhowells@redhat.com \
--cc=ebiggers@google.com \
--cc=james.l.morris@oracle.com \
--cc=jinqian@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).