From patchwork Thu Dec 7 17:59:57 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kleber Sacilotto de Souza X-Patchwork-Id: 845749 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3yt3DT6Lqhz9s9Y; Fri, 8 Dec 2017 05:00:17 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1eN0Sx-0003Q2-VK; Thu, 07 Dec 2017 18:00:11 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1eN0Sr-0003KP-Tp for kernel-team@lists.ubuntu.com; Thu, 07 Dec 2017 18:00:05 +0000 Received: from mail-wm0-f71.google.com ([74.125.82.71]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1eN0Sr-0004I9-Md for kernel-team@lists.ubuntu.com; Thu, 07 Dec 2017 18:00:05 +0000 Received: by mail-wm0-f71.google.com with SMTP id k126so3750929wmd.5 for ; Thu, 07 Dec 2017 10:00:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=7oiepd7vms/gYRhAGnO5dYK2hn50WhEg6S4G0SnKUJI=; b=TemOwpVAbY+gbExeX9fNejC1yUloZPLbLr7J6xhrgro0rJr4AsVWdN5cX/i50JvRe4 QiEuPVLrPIQewE6lixuHavXsi36rlJU8VamG4DvR3Iuq5mWhtVeUueD6KZCNQYaQNsIQ r6eEaHgaL+MuTRVaEyAtwoSg9Ktbh67BC9RkD/ipLZU97+Qdcdgl2sdXG7zR/csw4Ve+ mBzE+qGRBJO+lP+U4QnPzniLL0BWCc+U9Rn16eMOiju4rOPJsWFUZ9kdMBxsdc2P7v2o bkEa1XD0IbPxABfsGFZXAg/G4iF2uF+LsyQ7/tEaquytn1vPCviBG2Ji8tdDALrrfy1c de0A== X-Gm-Message-State: AJaThX4g2s9NKFQJNBzZgRlj9JRLhfIkkzlwkqFsYckzsmEdgVlIebnq bmRTHd51TQq5CMQwvdC7GfaPVpDpMLO2qq421C7kiF4op6eQsEQPd/ioOWX9lknhXQgk/b5Iarx Np2FyBQy4x+GgN6gfR99WJ5GxwMUtnFkzzhrxiaf6tg== X-Received: by 10.223.166.51 with SMTP id k48mr23353322wrc.125.1512669605042; Thu, 07 Dec 2017 10:00:05 -0800 (PST) X-Google-Smtp-Source: AGs4zMbmribM66j+VPkcHjOTMz8lSAZ5o6goZk6LNpFUo/g+p3PpOT2c1VKDUoknTFTBSwMKhH4W2g== X-Received: by 10.223.166.51 with SMTP id k48mr23353306wrc.125.1512669604799; Thu, 07 Dec 2017 10:00:04 -0800 (PST) Received: from localhost ([2a02:8109:98c0:1604:e8ed:6bbc:cfb2:d16c]) by smtp.gmail.com with ESMTPSA id 88sm5749852wrf.20.2017.12.07.10.00.03 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 07 Dec 2017 10:00:04 -0800 (PST) From: Kleber Sacilotto de Souza To: kernel-team@lists.ubuntu.com Subject: [SRU][Zesty][PATCH 1/1] KEYS: fix dereferencing NULL payload with nonzero length Date: Thu, 7 Dec 2017 18:59:57 +0100 Message-Id: <20171207175957.9630-3-kleber.souza@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20171207175957.9630-1-kleber.souza@canonical.com> References: <20171207175957.9630-1-kleber.souza@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Eric Biggers sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl() allowed a NULL payload with nonzero length to be passed to the key type's ->preparse(), ->instantiate(), and/or ->update() methods. Various key types including asymmetric, cifs.idmap, cifs.spnego, and pkcs7_test did not handle this case, allowing an unprivileged user to trivially cause a NULL pointer dereference (kernel oops) if one of these key types was present. Fix it by doing the copy_from_user() when 'plen' is nonzero rather than when '_payload' is non-NULL, causing the syscall to fail with EFAULT as expected when an invalid buffer is specified. Cc: stable@vger.kernel.org # 2.6.10+ Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris CVE-2017-15274 (backported from commit 5649645d725c73df4302428ee4e02c869248b4c5) Signed-off-by: Kleber Sacilotto de Souza --- security/keys/keyctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 3c7f6897fd5b..e09af189bd03 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -97,7 +97,7 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type, /* pull the payload in if one was supplied */ payload = NULL; - if (_payload) { + if (plen) { ret = -ENOMEM; payload = kmalloc(plen, GFP_KERNEL | __GFP_NOWARN); if (!payload) { @@ -327,7 +327,7 @@ long keyctl_update_key(key_serial_t id, /* pull the payload in if one was supplied */ payload = NULL; - if (_payload) { + if (plen) { ret = -ENOMEM; payload = kmalloc(plen, GFP_KERNEL); if (!payload)