From patchwork Thu Sep 28 21:25:59 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 9976757 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3EDDF60375 for ; Thu, 28 Sep 2017 21:30:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 30BB729758 for ; Thu, 28 Sep 2017 21:30:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 25A9F29759; Thu, 28 Sep 2017 21:30:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B52C82975B for ; Thu, 28 Sep 2017 21:30:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751819AbdI1V37 (ORCPT ); Thu, 28 Sep 2017 17:29:59 -0400 Received: from mail-pf0-f195.google.com ([209.85.192.195]:36892 "EHLO mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751339AbdI1V3u (ORCPT ); Thu, 28 Sep 2017 17:29:50 -0400 Received: by mail-pf0-f195.google.com with SMTP id e69so2489176pfg.4; Thu, 28 Sep 2017 14:29:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=D5+SIWBDkpE4gC1SkC9pRAlLGiHmD9XurXztJ979ZX4=; b=ga15d4zGaSQa2UDXuZbV5X6Si3XGn7IjJ/uGvkrv7Onbt4/qDjOGa9ZKTiUDuURyRv NM3GqlUFA7xo6leBn2GBhv/N1hkd/UGW81RbBW2PpQNEP4t45wuUt4DJOfifu7ftv4ai Qytw+pnEKTHLpmaRXqjDJ8F1C9lkIQTzfn4G+APOo7rKXwrmNWNABABdShczoefkFIzp wttbJCE+i0lgT3KjCXh08cl05LUQ1h6g8rR2E/L/hf0/9TO3ZgpLpWwPADRpv+uB6NZr 1vkPe58NjgRWRJZC7ubo2c/qMqX6z8ifrUYLiXaalGwUiNwRT6ZKI3/gewRXG/vKNAhH 99vw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=D5+SIWBDkpE4gC1SkC9pRAlLGiHmD9XurXztJ979ZX4=; b=nkuAEA7DX8NQLJLvvs5R/b13rgQ/GVCr9A6HHD+tHyffQ+U/D0xgT3/ZwFpqVYtAw9 wE0Y3xBXUbr39RK8LZ75rtFvqQVylLdwtKfTaxTggrkOiZMaX5Yh0m8lluK4cctW3Qqh N5jq7BMwwikgLpt6Ud/UhyYgW8nK10/iTBk4KrhAsRI4VS3xYAFyLbPenq4l/VQGla2J STWhPrNtHSz5kBVfZc04kn5OuhGrgd3Z5evszokwvcqldU4zpws19szjSIY9iIFleHIq VLucbkhIXKY2cuxr/nR5ALCVA83CDlXOgdETWfTc+ydkzay+YV5txjKdXf86Iwl3MRwC 6VEg== X-Gm-Message-State: AHPjjUgIN5T1TvjAPKMxJqpZLO9Y+lYQcfkv8I+n48KfalsOUiDbsxG7 LxVNEiyvCDSRUQTY/LHCPFK32JMd X-Google-Smtp-Source: AOwi7QDLicY0+IkBRCCgro4OJ26pATRQ+sPE81DrzfcpZhEJGYsvp+R7QN5+Flld/o6MWYr2gdiBXQ== X-Received: by 10.98.217.133 with SMTP id b5mr5549985pfl.227.1506634189251; Thu, 28 Sep 2017 14:29:49 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.174.81]) by smtp.gmail.com with ESMTPSA id o128sm3810672pga.5.2017.09.28.14.29.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 28 Sep 2017 14:29:48 -0700 (PDT) From: Eric Biggers To: keyrings@vger.kernel.org Cc: David Howells , Michael Halcrow , linux-cachefs@redhat.com, ecryptfs@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-security-module@vger.kernel.org, Eric Biggers , stable@vger.kernel.org Subject: [PATCH 4/7] fscrypt: fix dereference of NULL user_key_payload Date: Thu, 28 Sep 2017 14:25:59 -0700 Message-Id: <20170928212602.41744-5-ebiggers3@gmail.com> X-Mailer: git-send-email 2.14.2.822.g60be5d43e6-goog In-Reply-To: <20170928212602.41744-1-ebiggers3@gmail.com> References: <20170928212602.41744-1-ebiggers3@gmail.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers When an fscrypt-encrypted file is opened, we request the file's master key from the keyrings service as a logon key, then access its payload. However, a revoked key has a NULL payload, and we failed to check for this. request_key() *does* skip revoked keys, but there is still a window where the key can be revoked before we acquire its semaphore. Fix it by checking for a NULL payload, treating it like a key which was already revoked at the time it was requested. Fixes: 88bd6ccdcdd6 ("ext4 crypto: add encryption key management facilities") Cc: [v4.1+] Signed-off-by: Eric Biggers Reviewed-by: James Morris --- fs/crypto/keyinfo.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c index 018c588c7ac3..8e704d12a1cf 100644 --- a/fs/crypto/keyinfo.c +++ b/fs/crypto/keyinfo.c @@ -109,6 +109,11 @@ static int validate_user_key(struct fscrypt_info *crypt_info, goto out; } ukp = user_key_payload_locked(keyring_key); + if (!ukp) { + /* key was revoked before we acquired its semaphore */ + res = -EKEYREVOKED; + goto out; + } if (ukp->datalen != sizeof(struct fscrypt_key)) { res = -EINVAL; goto out;