| Message ID | 20170928212602.41744-2-ebiggers3@gmail.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
On Thu, 28 Sep 2017, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > A key of type "encrypted" references a "master key" which is used to > encrypt and decrypt the encrypted key's payload. However, when we > accessed the master key's payload, we failed to handle the case where > the master key has been revoked, which sets the payload pointer to NULL. > Note that request_key() *does* skip revoked keys, but there is still a > window where the key can be revoked before we acquire its semaphore. > > Fix it by checking for a NULL payload, treating it like a key which was > already revoked at the time it was requested. > > This was an issue for master keys of type "user" only. Master keys can > also be of type "trusted", but those cannot be revoked. > > Fixes: 7e70cb497850 ("keys: add new key-type encrypted") > Cc: <stable@vger.kernel.org> [v2.6.38+] > Signed-off-by: Eric Biggers <ebiggers@google.com> Reviewed-by: James Morris <james.l.morris@oracle.com>
diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c index f54b92868bc3..d92cbf9687c3 100644 --- a/security/keys/encrypted-keys/encrypted.c +++ b/security/keys/encrypted-keys/encrypted.c @@ -309,6 +309,13 @@ static struct key *request_user_key(const char *master_desc, const u8 **master_k down_read(&ukey->sem); upayload = user_key_payload_locked(ukey); + if (!upayload) { + /* key was revoked before we acquired its semaphore */ + up_read(&ukey->sem); + key_put(ukey); + ukey = ERR_PTR(-EKEYREVOKED); + goto error; + } *master_key = upayload->data; *master_keylen = upayload->datalen; error: