From patchwork Thu Dec 7 17:59:56 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kleber Sacilotto de Souza X-Patchwork-Id: 845748 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3yt3DC70Ybz9sDB; Fri, 8 Dec 2017 05:00:11 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1eN0Su-0003L1-Ch; Thu, 07 Dec 2017 18:00:08 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1eN0Sp-0003Jt-Op for kernel-team@lists.ubuntu.com; Thu, 07 Dec 2017 18:00:03 +0000 Received: from mail-wr0-f200.google.com ([209.85.128.200]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1eN0Sp-0004Hv-Gq for kernel-team@lists.ubuntu.com; Thu, 07 Dec 2017 18:00:03 +0000 Received: by mail-wr0-f200.google.com with SMTP id o20so4371499wro.8 for ; Thu, 07 Dec 2017 10:00:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=Prk8pp3VRxdqA7Bl/FMInf+ElpOzYOWjw5Nl+isSYr8=; b=PeG8toWhpM3fXtRgjmRTwzwU9dpKEZGoz0jEbfAOniRIpBSv9+7ksyfQq5trPPY6Fd 549Ituwvumd97w69Vs+BD+Pw1akzMURG5PSndfHcQ6BX8bsIGXbIQvFLGTw7XVC7DLm7 v3jT1jYfzC41NIgfONwIv8+XN0CPvLCHEs/xaDvsDkcOeaX77Y7sjBXOos3MnkJPeJYt Mwa565d+hZdt/R3truGoayRr7IFwwbzbxJJeXcpuIowriYDqa4PgfseBPJOhybza7MHk m+5LyLfQ4CbJqPxUumAAjrbFK6hYuvOPukvl2SLAAC+lI/X0Xc9gNX3a1zhvPuY/yBc4 ncCw== X-Gm-Message-State: AKGB3mIADaoN21Mn7fiZr7AJRnHMeBHPKXsHSsJsVgVKa+LFzwjRW/bH jaw9ygu2R1nz2EdIQtFhH+cO8Uwca8fTnHUrEO17FTo2ChwR5Pc2XvuUEQV6oYTrtD6x6sE4rma tVC8aCcR5iB05Vl5NOL/3flHejTz9CyUAxZZ+l9qTlg== X-Received: by 10.28.110.26 with SMTP id j26mr1800897wmc.46.1512669602739; Thu, 07 Dec 2017 10:00:02 -0800 (PST) X-Google-Smtp-Source: AGs4zMaJHcNL1U1wcyhaMT4lffgtdSPct0Pq6+KoCDtme9a3gu+2Qic88uO2BwiKhbYrOzjdgzhliw== X-Received: by 10.28.110.26 with SMTP id j26mr1800883wmc.46.1512669602539; Thu, 07 Dec 2017 10:00:02 -0800 (PST) Received: from localhost ([2a02:8109:98c0:1604:e8ed:6bbc:cfb2:d16c]) by smtp.gmail.com with ESMTPSA id 141sm6456522wmt.30.2017.12.07.10.00.00 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 07 Dec 2017 10:00:01 -0800 (PST) From: Kleber Sacilotto de Souza To: kernel-team@lists.ubuntu.com Subject: [SRU][Trusty][PATCH 1/1] KEYS: fix dereferencing NULL payload with nonzero length Date: Thu, 7 Dec 2017 18:59:56 +0100 Message-Id: <20171207175957.9630-2-kleber.souza@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20171207175957.9630-1-kleber.souza@canonical.com> References: <20171207175957.9630-1-kleber.souza@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Eric Biggers sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl() allowed a NULL payload with nonzero length to be passed to the key type's ->preparse(), ->instantiate(), and/or ->update() methods. Various key types including asymmetric, cifs.idmap, cifs.spnego, and pkcs7_test did not handle this case, allowing an unprivileged user to trivially cause a NULL pointer dereference (kernel oops) if one of these key types was present. Fix it by doing the copy_from_user() when 'plen' is nonzero rather than when '_payload' is non-NULL, causing the syscall to fail with EFAULT as expected when an invalid buffer is specified. Cc: stable@vger.kernel.org # 2.6.10+ Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris CVE-2017-15274 (backported from commit 5649645d725c73df4302428ee4e02c869248b4c5) Signed-off-by: Kleber Sacilotto de Souza --- security/keys/keyctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 4e3fecc72f43..e4bb9adf7a76 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -93,7 +93,7 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type, payload = NULL; vm = false; - if (_payload) { + if (plen) { ret = -ENOMEM; payload = kmalloc(plen, GFP_KERNEL | __GFP_NOWARN); if (!payload) { @@ -327,7 +327,7 @@ long keyctl_update_key(key_serial_t id, /* pull the payload in if one was supplied */ payload = NULL; - if (_payload) { + if (plen) { ret = -ENOMEM; payload = kmalloc(plen, GFP_KERNEL); if (!payload)