From patchwork Mon Oct 9 19:46:18 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 9994157 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2C89060230 for ; Mon, 9 Oct 2017 19:47:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1FD0B28770 for ; Mon, 9 Oct 2017 19:47:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1447428773; Mon, 9 Oct 2017 19:47:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BED0528770 for ; Mon, 9 Oct 2017 19:47:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754737AbdJITrR (ORCPT ); Mon, 9 Oct 2017 15:47:17 -0400 Received: from mail-pf0-f194.google.com ([209.85.192.194]:33157 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754497AbdJITrQ (ORCPT ); Mon, 9 Oct 2017 15:47:16 -0400 Received: by mail-pf0-f194.google.com with SMTP id m28so29896418pfi.0; Mon, 09 Oct 2017 12:47:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=MXVWb4Db/wKBJ9tRYo4Ml7aDE8fT5W0LO8B8STLgoFc=; b=CugWw00HnVY/08hfwChmNtihnnJXGY9C4gpiZhkcLAp/oFCIpwN68Iy1tiMG9+Pa26 6NsLFJFD+3365UL2uFIup75oYWITa0AZbwZ4zNN67nQqKPe2FYyE5NphCrqfAwosrYKq 9Ot9451F3IkUtRvdLYLvM5GZFrsRIIucy0ivrLQfMq8bQgDfXY/6Aealq2SbFyqR8Oll LlfgpOG7KBKzX/JTjBpITRg+XbL1OejH8mLN2FLh9if3++iEYCDs/su+WdfxJfCM+7sx V/9OnIS48I9GqtnH9IAp6GuELhTV9LCYboq4nfBvLQxqFdr8ErehdFyaerFsptu3x70a Eqdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=MXVWb4Db/wKBJ9tRYo4Ml7aDE8fT5W0LO8B8STLgoFc=; b=ODRTDodP70RRpVTB7u7XZJYQj9etpZ6zqT8gG2dtDGLkrlNkXhYVG3co8+9eA+KTTS DhPlCw2O1JxSwE4QZoEge2uTx9weZuwAYaFOPYiDbipIUH40I9tlfH8mV8/Ns2hUJXWl jQJPNvLGkzdCDZ+qrXwLyXpcJY1fUjjAJQdc63l+sg1wG3F1SMJLelijj8l7B3k1hGMQ WbUSMBvMQ/wmqaPFE7EHdTUT9Qp6GY4pgWQODYB+dYeYQsa22ecNGdWUx282r+65axgt 05k6+vn8tJvEj87+EfaTxLwmp7+AKXYLNc/BVB9BwA7mGyBQcreojit4mvTXRvaSN5Ru 7ZYQ== X-Gm-Message-State: AMCzsaUb2GEDTEXikrG4Y8ybRYgifH47qXS27d57+DjQidfxyuMchPqM PorphHy4pkmzY2jJl+6eyTnHe4Yc X-Google-Smtp-Source: AOwi7QDjOTp7hw0kXpLiVEmSK2Cw+J1+ipp3RLTLeRUBlzFghUhhxLZcSBC/hhXbEb2MpZH5g9xGxA== X-Received: by 10.84.244.12 with SMTP id g12mr10161143pll.223.1507578435122; Mon, 09 Oct 2017 12:47:15 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.174.81]) by smtp.gmail.com with ESMTPSA id 19sm7104326pfj.154.2017.10.09.12.47.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 09 Oct 2017 12:47:14 -0700 (PDT) From: Eric Biggers To: linux-fscrypt@vger.kernel.org, "Theodore Y . Ts'o" Cc: keyrings@vger.kernel.org, Jaegeuk Kim , linux-security-module@vger.kernel.org, Eric Biggers , stable@vger.kernel.org Subject: [PATCH v2] fscrypt: fix dereference of NULL user_key_payload Date: Mon, 9 Oct 2017 12:46:18 -0700 Message-Id: <20171009194618.67494-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.14.2.920.gcf0c67979c-goog Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers When an fscrypt-encrypted file is opened, we request the file's master key from the keyrings service as a logon key, then access its payload. However, a revoked key has a NULL payload, and we failed to check for this. request_key() *does* skip revoked keys, but there is still a window where the key can be revoked before we acquire its semaphore. Fix it by checking for a NULL payload, treating it like a key which was already revoked at the time it was requested. Fixes: 88bd6ccdcdd6 ("ext4 crypto: add encryption key management facilities") Reviewed-by: James Morris Cc: [v4.1+] Signed-off-by: Eric Biggers --- Changed since v1: added Reviewed-by and resent as standalone patch. Can this please be taken through the fscrypt tree? fs/crypto/keyinfo.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c index 018c588c7ac3..8e704d12a1cf 100644 --- a/fs/crypto/keyinfo.c +++ b/fs/crypto/keyinfo.c @@ -109,6 +109,11 @@ static int validate_user_key(struct fscrypt_info *crypt_info, goto out; } ukp = user_key_payload_locked(keyring_key); + if (!ukp) { + /* key was revoked before we acquired its semaphore */ + res = -EKEYREVOKED; + goto out; + } if (ukp->datalen != sizeof(struct fscrypt_key)) { res = -EINVAL; goto out;