From: Eric Biggers <ebiggers@kernel.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Howells <dhowells@redhat.com>,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: [PATCH RESEND] KEYS: fix parsing invalid pkey info string
Date: Mon, 17 Dec 2018 10:12:44 -0800 [thread overview]
Message-ID: <20181217181244.220052-1-ebiggers@kernel.org> (raw)
In-Reply-To: <20181128232019.GC131170@gmail.com>
From: Eric Biggers <ebiggers@google.com>
We need to check the return value of match_token() for Opt_err (-1)
before doing anything with it.
Reported-by: syzbot+a22e0dc07567662c50bc@syzkaller.appspotmail.com
Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
Hi Linus, please consider applying this patch. It's been ignored by the
keyrings maintainer for a month and a half with multiple reminders. It
fixes an easily reachable stack corruption in the new keyctl operations
that were added in v4.20. It was immediately reached by syzbot even
without any definitions for the new keyctls yet.
security/keys/keyctl_pkey.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/security/keys/keyctl_pkey.c b/security/keys/keyctl_pkey.c
index 783978842f13a..987fac8051d70 100644
--- a/security/keys/keyctl_pkey.c
+++ b/security/keys/keyctl_pkey.c
@@ -50,6 +50,8 @@ static int keyctl_pkey_params_parse(struct kernel_pkey_params *params)
if (*p == '\0' || *p == ' ' || *p == '\t')
continue;
token = match_token(p, param_keys, args);
+ if (token == Opt_err)
+ return -EINVAL;
if (__test_and_set_bit(token, &token_mask))
return -EINVAL;
q = args[0].from;
--
2.20.0.405.gbc1bbc6f85-goog
next prev parent reply other threads:[~2018-12-17 18:13 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-03 15:48 general protection fault in keyctl_pkey_params_get syzbot
2018-11-03 17:30 ` [PATCH] KEYS: fix parsing invalid pkey info string Eric Biggers
2018-11-28 23:20 ` Eric Biggers
2018-12-06 18:26 ` Eric Biggers
2018-12-17 18:12 ` Eric Biggers [this message]
2018-12-17 18:43 ` [PATCH RESEND] " Linus Torvalds
2018-12-17 18:49 ` Linus Torvalds
2018-12-17 19:06 ` Linus Torvalds
2018-12-17 19:39 ` Linus Torvalds
2018-12-17 19:51 ` James Bottomley
2018-12-17 20:02 ` Linus Torvalds
2018-12-17 20:29 ` Mimi Zohar
2018-12-18 0:44 ` James Bottomley
2018-12-31 22:45 ` Eric Biggers
2019-01-01 21:08 ` Linus Torvalds
2018-12-17 20:21 ` Mimi Zohar
2018-12-17 20:31 ` Linus Torvalds
2018-12-18 12:34 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181217181244.220052-1-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=dhowells@redhat.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).