From patchwork Thu Sep 28 21:25:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 9976761 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0985460568 for ; Thu, 28 Sep 2017 21:30:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F016C29758 for ; Thu, 28 Sep 2017 21:30:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E4EFF2975D; Thu, 28 Sep 2017 21:30:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9E90D29759 for ; Thu, 28 Sep 2017 21:30:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751850AbdI1V3y (ORCPT ); Thu, 28 Sep 2017 17:29:54 -0400 Received: from mail-pf0-f194.google.com ([209.85.192.194]:33279 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751495AbdI1V3t (ORCPT ); Thu, 28 Sep 2017 17:29:49 -0400 Received: by mail-pf0-f194.google.com with SMTP id h4so2509111pfk.0; Thu, 28 Sep 2017 14:29:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Rt8RM9sl3HGfUgL4r1DuG3K2KVrw4IIH0wLwbUGqZNA=; b=ASNTFEUUsU37McThLqFDg2T8AZOqb8JSrT1wrE1xEFN1I1x1YsjePVG5MBgC9bRFE1 Te69qNNS+QX2Lg5iphlKcHVkvH+bt0nXGqzSMTj7wWl2eimcSATKuI+VYaKEcLVWJBS6 zp9j8O9tVTawpA5fdY3ihTdEOtZy/v/KGrT5pX7O3+1nadca96V//pfkUg9+YxkC2gcY au92cv6Rzc70Y8HOaGebxnajbtueIqcZV0BfwIbYsNw4Jzo3gjvD7jFnGLM98JABkj9h QpftZ8CUcXl2WsfxeiQdE80RSUwqeQLrVpYCD4loOiPsMAWg0H9zmHexzUO2Oj3AehIY 9Okg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Rt8RM9sl3HGfUgL4r1DuG3K2KVrw4IIH0wLwbUGqZNA=; b=ba5tdNX4VX/4t9NFnLwzvXzuwnXLc5SXkM8u+6Lv0huKhrxwf/nm9p4WLW8fCgAXB3 htEJe27k7RitOZ5CV/TpdRG+VJEugJf3/XjT9FgYXUBkOsGPwnJcciDRHrOepmKivHcJ QLNabiW6ZFi+CFYqZFPA3ZOPOPdwImW1FlodxSYr5mMZVp8ZE8CbjVEuTwPstJRvDtUq 5PelqdmLhNN4H7tKajnsFB06+nj84jPdIleDtlAO+IBieTz1JcbbGMBkU+7CKkcZVTys MJ8Z+zeAutRaUZsxX491Qn6isGl24vVFwk9nHeRjZmWj/j+6i35HS2PYv9aCGuimZ3Vb k/zQ== X-Gm-Message-State: AHPjjUh85F9rtnWyLawRyzbDLSgZHytai/qY6rHSrNp94PmOLnSr1N5T 3ncaiCoUdQ3dntFXCRxygvP8cyMF X-Google-Smtp-Source: AOwi7QB8G/2XamXInwb40SauH7VMtUopPcbXpmGmbuaz8Y+tyn4eGFW9itEVQN2/RZCyASHey+WkqA== X-Received: by 10.98.157.73 with SMTP id i70mr5436131pfd.268.1506634188184; Thu, 28 Sep 2017 14:29:48 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.174.81]) by smtp.gmail.com with ESMTPSA id o128sm3810672pga.5.2017.09.28.14.29.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 28 Sep 2017 14:29:47 -0700 (PDT) From: Eric Biggers To: keyrings@vger.kernel.org Cc: David Howells , Michael Halcrow , linux-cachefs@redhat.com, ecryptfs@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-security-module@vger.kernel.org, Eric Biggers , stable@vger.kernel.org Subject: [PATCH 3/7] lib/digsig: fix dereference of NULL user_key_payload Date: Thu, 28 Sep 2017 14:25:58 -0700 Message-Id: <20170928212602.41744-4-ebiggers3@gmail.com> X-Mailer: git-send-email 2.14.2.822.g60be5d43e6-goog In-Reply-To: <20170928212602.41744-1-ebiggers3@gmail.com> References: <20170928212602.41744-1-ebiggers3@gmail.com> Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers digsig_verify() requests a user key, then accesses its payload. However, a revoked key has a NULL payload, and we failed to check for this. request_key() *does* skip revoked keys, but there is still a window where the key can be revoked before we acquire its semaphore. Fix it by checking for a NULL payload, treating it like a key which was already revoked at the time it was requested. Fixes: 051dbb918c7f ("crypto: digital signature verification support") Cc: [v3.3+] Signed-off-by: Eric Biggers Reviewed-by: James Morris --- lib/digsig.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/digsig.c b/lib/digsig.c index 03d7c63837ae..6ba6fcd92dd1 100644 --- a/lib/digsig.c +++ b/lib/digsig.c @@ -87,6 +87,12 @@ static int digsig_verify_rsa(struct key *key, down_read(&key->sem); ukp = user_key_payload_locked(key); + if (!ukp) { + /* key was revoked before we acquired its semaphore */ + err = -EKEYREVOKED; + goto err1; + } + if (ukp->datalen < sizeof(*pkh)) goto err1;