mbox series

[00/10] keys: Miscellany [ver #2]

Message ID 155923711088.949.14909672457214372214.stgit@warthog.procyon.org.uk (mailing list archive)
Headers show
Series keys: Miscellany [ver #2] | expand

Message

David Howells May 30, 2019, 5:25 p.m. UTC
Here are some miscellaneous keyrings fixes and improvements intended for
the next merge window:

 (1) Fix a bunch of warnings from sparse, including missing RCU bits and
     kdoc-function argument mismatches

 (2) Implement a keyctl to allow a key to be moved from one keyring to
     another, with the option of prohibiting key replacement in the
     destination keyring.

 (3) Grant Link permission to possessors of request_key_auth tokens so that
     upcall servicing daemons can more easily arrange things such that only
     the necessary auth key is passed to the actual service program, and
     not all the auth keys a daemon might possesss.

 (4) Improvement in lookup_user_key().

 (5) Implement a keyctl to allow keyrings subsystem capabilities to be
     queried.

The patches can be found on the following branch:

	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-misc

The keyutils next branch has commits to make available, document and test
the move-key and capabilities code:

	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/log/?h=next

Changes:

 (*) Fixed lock ordering bug in KEYCTL_MOVE.

 (*) Added improvement patch from Eric.

 (*) Added capabilities patch.

David
---
David Howells (9):
      keys: sparse: Fix key_fs[ug]id_changed()
      keys: sparse: Fix incorrect RCU accesses
      keys: sparse: Fix kdoc mismatches
      keys: Change keyring_serialise_link_sem to a mutex
      keys: Break bits out of key_unlink()
      keys: Hoist locking out of __key_link_begin()
      keys: Add a keyctl to move a key between keyrings
      keys: Grant Link permission to possessers of request_key auth keys
      keys: Add capability-checking keyctl function

Eric Biggers (1):
      KEYS: reuse keyring_index_key::desc_len in lookup_user_key()


 Documentation/security/keys/core.rst |   21 +++
 include/linux/key.h                  |   13 +-
 include/uapi/linux/keyctl.h          |   17 ++
 kernel/cred.c                        |    4 
 security/keys/compat.c               |    6 +
 security/keys/internal.h             |    7 +
 security/keys/key.c                  |   23 ++-
 security/keys/keyctl.c               |   92 +++++++++++
 security/keys/keyring.c              |  275 +++++++++++++++++++++++++++-------
 security/keys/process_keys.c         |   26 +--
 security/keys/request_key.c          |    7 +
 security/keys/request_key_auth.c     |    4 
 12 files changed, 413 insertions(+), 82 deletions(-)

Comments

Eric Biggers May 30, 2019, 6:12 p.m. UTC | #1
On Thu, May 30, 2019 at 06:25:11PM +0100, David Howells wrote:
> 
> Here are some miscellaneous keyrings fixes and improvements intended for
> the next merge window:
> 
>  (1) Fix a bunch of warnings from sparse, including missing RCU bits and
>      kdoc-function argument mismatches
> 
>  (2) Implement a keyctl to allow a key to be moved from one keyring to
>      another, with the option of prohibiting key replacement in the
>      destination keyring.
> 
>  (3) Grant Link permission to possessors of request_key_auth tokens so that
>      upcall servicing daemons can more easily arrange things such that only
>      the necessary auth key is passed to the actual service program, and
>      not all the auth keys a daemon might possesss.
> 
>  (4) Improvement in lookup_user_key().
> 
>  (5) Implement a keyctl to allow keyrings subsystem capabilities to be
>      queried.
> 
> The patches can be found on the following branch:
> 
> 	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-misc
> 

syzkaller still manages to crash something in the keys subsystem really quickly
when I run it on that branch (commit 35036b7e765b6):

RAX: ffffffffffffffda RBX: 000000000071bf00 RCX: 0000000000458a09
RDX: 0000000020001800 RSI: 00000000200017c0 RDI: 0000000020001780
RBP: 00007f784d775ca0 R08: fffffffffffffffd R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 00007f784d7766d4
R13: 00000000004a63d9 R14: 00000000006e33f8 R15: 0000000000000003
BUG: unable to handle page fault for address: ffffeba31fffffd0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0 
Oops: 0000 [#1] SMP KASAN
CPU: 5 PID: 10320 Comm: syz-executor.3 Not tainted 5.2.0-rc1-00010-g35036b7e765b6 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
RIP: 0010:__read_once_size include/linux/compiler.h:194 [inline]
RIP: 0010:compound_head include/linux/page-flags.h:172 [inline]
RIP: 0010:virt_to_head_page include/linux/mm.h:720 [inline]
RIP: 0010:virt_to_cache mm/slab.c:376 [inline]
RIP: 0010:kfree+0x7f/0x1d0 mm/slab.c:3751
Code: 7f 77 00 00 48 01 d0 48 89 df 48 c1 e8 0c 48 8d 14 c5 00 00 00 00 48 29 c2 48 89 d0 48 ba 00 00 00 00 00 ea ff ff 48 8d 04 c2 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 4c 8b 68 18 49 63 75
RSP: 0018:ffff88800a7f7bf0 EFLAGS: 00010016
RAX: ffffeba31fffffc8 RBX: 0000003ffffffffc RCX: 0000000000000000
RDX: ffffea0000000000 RSI: 0000000000000000 RDI: 0000003ffffffffc
RBP: ffff88800a7f7c10 R08: ffffffff83bf24c0 R09: ffffed100da2e448
R10: 0000000000000001 R11: ffffed100da2e447 R12: 0000000000000202
R13: ffffffff824c2d76 R14: dffffc0000000000 R15: ffff88800f1cf000
FS:  00007f784d776700(0000) GS:ffff88806d140000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffeba31fffffd0 CR3: 000000006932d004 CR4: 0000000000760ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 assoc_array_cancel_edit+0x56/0xa0 lib/assoc_array.c:1428
 __key_link_end+0x7e/0x170 security/keys/keyring.c:1360
 key_create_or_update+0x868/0xbb0 security/keys/key.c:943
 __do_sys_add_key security/keys/keyctl.c:134 [inline]
 __se_sys_add_key+0x134/0x380 security/keys/keyctl.c:74
 __x64_sys_add_key+0xbe/0x150 security/keys/keyctl.c:74
 do_syscall_64+0x9e/0x4e0 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458a09
Code: dd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f784d775c88 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
RAX: ffffffffffffffda RBX: 000000000071bf00 RCX: 0000000000458a09
RDX: 0000000020001800 RSI: 00000000200017c0 RDI: 0000000020001780
RBP: 00007f784d775ca0 R08: fffffffffffffffd R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 00007f784d7766d4
R13: 00000000004a63d9 R14: 00000000006e33f8 R15: 0000000000000003
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
CR2: ffffeba31fffffd0
---[ end trace 01d64df35f47d1f5 ]---
RIP: 0010:__read_once_size include/linux/compiler.h:194 [inline]
RIP: 0010:compound_head include/linux/page-flags.h:172 [inline]
RIP: 0010:virt_to_head_page include/linux/mm.h:720 [inline]
RIP: 0010:virt_to_cache mm/slab.c:376 [inline]
RIP: 0010:kfree+0x7f/0x1d0 mm/slab.c:3751
Code: 7f 77 00 00 48 01 d0 48 89 df 48 c1 e8 0c 48 8d 14 c5 00 00 00 00 48 29 c2 48 89 d0 48 ba 00 00 00 00 00 ea ff ff 48 8d 04 c2 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 4c 8b 68 18 49 63 75
RSP: 0018:ffff88800a7f7bf0 EFLAGS: 00010016
RAX: ffffeba31fffffc8 RBX: 0000003ffffffffc RCX: 0000000000000000
RDX: ffffea0000000000 RSI: 0000000000000000 RDI: 0000003ffffffffc
RBP: ffff88800a7f7c10 R08: ffffffff83bf24c0 R09: ffffed100da2e448
R10: 0000000000000001 R11: ffffed100da2e447 R12: 0000000000000202
R13: ffffffff824c2d76 R14: dffffc0000000000 R15: ffff88800f1cf000
FS:  00007f784d776700(0000) GS:ffff88806d140000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffeba31fffffd0 CR3: 000000006932d004 CR4: 0000000000760ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
David Howells May 30, 2019, 9:11 p.m. UTC | #2
Eric Biggers <ebiggers@kernel.org> wrote:

>  key_create_or_update+0x868/0xbb0 security/keys/key.c:943

I forgot to init edit:

	struct assoc_array_edit *edit;

to NULL.

David
David Howells May 30, 2019, 10:03 p.m. UTC | #3
Eric Biggers <ebiggers@kernel.org> wrote:

> syzkaller still manages to crash something in the keys subsystem really
> quickly when I run it on that branch (commit 35036b7e765b6):

I've pushed a new version that should fix that, thanks.

David