From patchwork Sat Apr  1 21:34:28 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Biggers <ebiggers3@gmail.com>
X-Patchwork-Id: 9658297
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	913D3602BC
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Sat,  1 Apr 2017 21:36:55 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 76AC528507
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Sat,  1 Apr 2017 21:36:55 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 68FD028552; Sat,  1 Apr 2017 21:36:55 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6AE4B28507
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Sat,  1 Apr 2017 21:36:53 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751944AbdDAVgt (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Sat, 1 Apr 2017 17:36:49 -0400
Received: from mail-pf0-f195.google.com ([209.85.192.195]:35665 "EHLO
	mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751888AbdDAVgs (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Sat, 1 Apr 2017 17:36:48 -0400
Received: by mail-pf0-f195.google.com with SMTP id n11so4852524pfg.2;
	Sat, 01 Apr 2017 14:36:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=3Qi4HIl16km6X3kr7HWtoNfjBXuUIudhpMY1/g2gEwg=;
	b=FzlcwnhWrik0UMB3jRx0IMO3QAp5epi5EJ2OTjdJKSvXQV9TpcNDICsUllFWf+R6LK
	rdiD5XKhhoMW7oNJttu2rF28uEVFkqXQyNzBN3dmDFRO98uCGIjGaj4K1xpyXDeTB7Wv
	/RO0s8QgSR2qWDb269bNhNvr7j9m2On09x+aDVpPEY/15+NBJdrVsVazgaz//2q9TfYi
	nsXzL4ZjLIGO7MJf/fm8qC4sDOW51KItn7bKu6gpulIErIopsaIFVHReUTNV/P92GC7Q
	l/wjPn7ZUiUBiDIDZwsRYg9pTdi1kPYrjKIdHujfjjpKy4AuIflX6G52p7po7vR+NzXh
	FSpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=3Qi4HIl16km6X3kr7HWtoNfjBXuUIudhpMY1/g2gEwg=;
	b=noFM8b8kVm4bSHtvzjCxnEdvf9HbLMByJ78ZR+bb+PwS5kuxyEHv5C06p+K1uX524U
	lI4iJgoLQ35zIJ//iYS+611azIm+X88U7tyKVi7vgt5uzZb461wgJRt99KwyNNvaXv5n
	LtOVkRYYVnXw7GEkbD7AKZ7TDz5Pd8xdiP1bCZENalypfafcpeeGr+GNA5UosWtA2BI4
	t3sdOSiNjwlh+2din2EUWLl0couwVb2kcfh53eHWaPOFMv0oq7RQ5uPisTubJaVmwGFX
	yAiCljOAFz40kdupLbj2ff6p1J4bIqUochLxwURKgU6TE04boRCdAq8bcPMytxDUqXq9
	d8wA==
X-Gm-Message-State: 
 AFeK/H0rgpSI4MyFGwlvUiCcL2TV2P1vNwY9eNwKnRs/oRoJPDmDSBX5LKn6Y9rX6wm0Rw==
X-Received: by 10.99.124.71 with SMTP id l7mr9887748pgn.14.1491082607518;
	Sat, 01 Apr 2017 14:36:47 -0700 (PDT)
Received: from zzz.hsd1.wa.comcast.net
	(c-73-239-167-150.hsd1.wa.comcast.net. [73.239.167.150])
	by smtp.gmail.com with ESMTPSA id
	d10sm17634566pfl.59.2017.04.01.14.36.46
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sat, 01 Apr 2017 14:36:46 -0700 (PDT)
From: Eric Biggers <ebiggers3@gmail.com>
To: keyrings@vger.kernel.org
Cc: David Howells <dhowells@redhat.com>,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
	stable@vger.kernel.org
Subject: [PATCH] KEYS: fix dereferencing NULL payload with nonzero length
Date: Sat,  1 Apr 2017 14:34:28 -0700
Message-Id: <20170401213428.17097-1-ebiggers3@gmail.com>
X-Mailer: git-send-email 2.12.1
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Eric Biggers <ebiggers@google.com>

sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl() allowed a
NULL payload with nonzero length to be passed to the key type's
->preparse(), ->instantiate(), and/or ->update() methods.  Various key
types including asymmetric, cifs.idmap, cifs.spnego, and pkcs7_test did
not handle this case, allowing an unprivileged user to trivially cause a
NULL pointer dereference (kernel oops) if one of these key types was
present.  Fix it by doing the copy_from_user() when 'plen' is nonzero
rather than when '_payload' is non-NULL, causing the syscall to fail
with EFAULT as expected when an invalid buffer is specified.

Cc: stable@vger.kernel.org # 2.6.10+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 security/keys/keyctl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 52c34532c785..57447cd29154 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -99,7 +99,7 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
 	/* pull the payload in if one was supplied */
 	payload = NULL;
 
-	if (_payload) {
+	if (plen) {
 		ret = -ENOMEM;
 		payload = kmalloc(plen, GFP_KERNEL | __GFP_NOWARN);
 		if (!payload) {
@@ -324,7 +324,7 @@ long keyctl_update_key(key_serial_t id,
 
 	/* pull the payload in if one was supplied */
 	payload = NULL;
-	if (_payload) {
+	if (plen) {
 		ret = -ENOMEM;
 		payload = kmalloc(plen, GFP_KERNEL);
 		if (!payload)