From patchwork Mon Oct  9 19:43:20 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Biggers <ebiggers3@gmail.com>
X-Patchwork-Id: 9994153
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	8F95060216
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Mon,  9 Oct 2017 19:45:05 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 82C012873D
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Mon,  9 Oct 2017 19:45:05 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 7716D28772; Mon,  9 Oct 2017 19:45:05 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E6F102873D
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Mon,  9 Oct 2017 19:45:04 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754830AbdJITpD (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Mon, 9 Oct 2017 15:45:03 -0400
Received: from mail-pf0-f196.google.com ([209.85.192.196]:35828 "EHLO
	mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754293AbdJITpC (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Mon, 9 Oct 2017 15:45:02 -0400
Received: by mail-pf0-f196.google.com with SMTP id i23so30016305pfi.2;
	Mon, 09 Oct 2017 12:45:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=4pbBbwTitUMPLnaS+A3k4meTiwdpq9DXTc798oWchiY=;
	b=iXc63aKe2czxAcGC5qlfmGDEEVI8doUX6KVxI9r02XHRyX/CXsqXQCetJ/wXDY0KNI
	fC9fL4xud2ec51GJ+EIXTDf/ng3lKhoatngfVtCtWAerJAT+zefZ7Gh5KB35P0CmxWWu
	pEbk/YtwxXDLkBeFaXSVqwajM3oNg8HktDS2JLmVeryvs7DVzLv1MszZjMqAwjyYIhm1
	Enq5Tbq2Ia2wx84lNdHT4zxKjyVKf86vodcQ5/YRaf/pc/pw+O5xJ7zlRIgiGTkgJ7Iq
	bbMLRa5X5bSh85yZgMRU5LMpMvITjNBksTqFzpCJtI02iFv1qWECh9T7jHVcGbCnwM/q
	Cvvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=4pbBbwTitUMPLnaS+A3k4meTiwdpq9DXTc798oWchiY=;
	b=Li34SdCDKS+p8iNTwwDL1s9URS3TmLW7oyRWcmw1nZ/632ImY/djHWJLogFKtYMzcT
	OhGqDFCkPxDUBgznxXGCHQ31O7u0ShUB5Y9m/aZPJxaH82WGwDJRZLApRto/rltzFDQn
	R8AirrlkmIrTJQPLx8MgCrIRAZp+Pjkwx5IPTh8013rGcHPb/4KeOtwqFqufjEibOZqt
	petMyg+PwvdYFzD63N1tLbqOhu+46cCPFFqulR+5NKnKREyCGIg2bkGFhc/1yul1Fqgm
	4rWgedggbr8aZE6rTpUQxyhMIwlyoLjEtp0s5D51n9XqWiKS7d+o48/jWwGy4pYrum16
	CKgA==
X-Gm-Message-State: AMCzsaUVmMr36p7rrUbSouz4cV+K+6CF286sN2gAEsj3cU9fyxN/EuLx
	QqgDpWNFGemhC+huWufvxcW2iDYD
X-Google-Smtp-Source: 
 AOwi7QDNw2KHL2eAAkjXJTZBIjarCVL7Bu84ZES4q3t4pZqn9omJauz2bcNAR/vR5vZ8nOdBPcgPbA==
X-Received: by 10.98.178.22 with SMTP id x22mr6496032pfe.123.1507578301909;
	Mon, 09 Oct 2017 12:45:01 -0700 (PDT)
Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.174.81])
	by smtp.gmail.com with ESMTPSA id
	c5sm17469616pfd.139.2017.10.09.12.45.01
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Mon, 09 Oct 2017 12:45:01 -0700 (PDT)
From: Eric Biggers <ebiggers3@gmail.com>
To: linux-security-module@vger.kernel.org,
	James Morris <james.l.morris@oracle.com>
Cc: keyrings@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
	stable@vger.kernel.org, Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Subject: [PATCH v2] lib/digsig: fix dereference of NULL user_key_payload
Date: Mon,  9 Oct 2017 12:43:20 -0700
Message-Id: <20171009194320.67221-1-ebiggers3@gmail.com>
X-Mailer: git-send-email 2.14.2.920.gcf0c67979c-goog
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Eric Biggers <ebiggers@google.com>

digsig_verify() requests a user key, then accesses its payload.
However, a revoked key has a NULL payload, and we failed to check for
this.  request_key() *does* skip revoked keys, but there is still a
window where the key can be revoked before we acquire its semaphore.

Fix it by checking for a NULL payload, treating it like a key which was
already revoked at the time it was requested.

Fixes: 051dbb918c7f ("crypto: digital signature verification support")
Reviewed-by: James Morris <james.l.morris@oracle.com>
Cc: <stable@vger.kernel.org>    [v3.3+]
Cc: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
---

Changed since v1: added Reviewed-by and resent as standalone patch.  Can
this please be taken through the security tree or the keyrings tree?

 lib/digsig.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/digsig.c b/lib/digsig.c
index 03d7c63837ae..6ba6fcd92dd1 100644
--- a/lib/digsig.c
+++ b/lib/digsig.c
@@ -87,6 +87,12 @@ static int digsig_verify_rsa(struct key *key,
 	down_read(&key->sem);
 	ukp = user_key_payload_locked(key);
 
+	if (!ukp) {
+		/* key was revoked before we acquired its semaphore */
+		err = -EKEYREVOKED;
+		goto err1;
+	}
+
 	if (ukp->datalen < sizeof(*pkh))
 		goto err1;