From patchwork Thu Sep 28 21:25:56 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 9976779 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id CA14160375 for ; Thu, 28 Sep 2017 21:30:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BC51729759 for ; Thu, 28 Sep 2017 21:30:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B15A42975B; Thu, 28 Sep 2017 21:30:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 65EB529759 for ; Thu, 28 Sep 2017 21:30:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751649AbdI1V3u (ORCPT ); Thu, 28 Sep 2017 17:29:50 -0400 Received: from mail-pf0-f194.google.com ([209.85.192.194]:36871 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751345AbdI1V3q (ORCPT ); Thu, 28 Sep 2017 17:29:46 -0400 Received: by mail-pf0-f194.google.com with SMTP id e69so2489075pfg.4; Thu, 28 Sep 2017 14:29:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Uud5nWOhmSxPO300TrUGEC1kOM3DSY67jEatcVHR9KU=; b=phDFa1ujpRf92yMrsazM5MXj1T/djUAX2iTnuup+HPC2qQc18fwRMwB6GhxPaqL1bU tScTble3iH1GYnHfUmVfPEffZhq104jz2sS3W+HAX/5Bvx9zZxfja/GSMInWhI4h5TC0 BxtzomEsGj2+uUMelerO8wmZXYkod8HM4WejNJvGeMhHX9Av9Y3hbT9pU2R/3OSiBKNa LODFN1hU1DGyzqrDCmlEZRyLJE8LlWoEjTnd66d5AKh67gTbCk/HHlFk+0bc90j0u2JS PRqNHLEKTGlFv691ZVVfZ+OH6bOlct7q6fQnwaaBWeIXLLman3OSYy9JTT0VX2gfZ9ey pWRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Uud5nWOhmSxPO300TrUGEC1kOM3DSY67jEatcVHR9KU=; b=HRL8yBN6ZX5iEXUbLZxxqpLy8TqHb9NcT9uNP5uF+V7mS91tNcpWf1+A4Aonfd7DlA W87of2/xo5GwagHlsfuy+wYL7oVRP7I/J0Atnz2Tig4l7yTvouErFWsnlqJPtaevx/L+ trudvVUIJf8VRNNb5eiMmheEYV0AhNFhivW5TvpzhBiSkdL8BBxUiXO8L2PpKas0YbTz uai1/5GM9WWr6g45kShfBswLh9sjz1EkwfEOrBBqTC4NtDINZi1dvhtVDW5s3Ck+upt8 TuQxVVLdtYj73I5bBrx9qiahqHV2RVGyrOrMSRWZnL/ukCe47BDchNMfVWoHyAM6den+ /9Rg== X-Gm-Message-State: AHPjjUj8O5rcXHPAVpNwZb/ez2VgQyrRGoLlaXax7rv8OyaS59ckXcC7 10nmchjcgFjl8RtY+9jBz/GWvuJe X-Google-Smtp-Source: AOwi7QAEi5TSaeSLJXBbH/j4uQE/Cz7JlzrbgrxTbEH6i0NxLAEZsvsSWGLEE3STMm+dzRwapQfVlA== X-Received: by 10.98.33.134 with SMTP id o6mr5532715pfj.103.1506634186029; Thu, 28 Sep 2017 14:29:46 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.174.81]) by smtp.gmail.com with ESMTPSA id o128sm3810672pga.5.2017.09.28.14.29.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 28 Sep 2017 14:29:45 -0700 (PDT) From: Eric Biggers To: keyrings@vger.kernel.org Cc: David Howells , Michael Halcrow , linux-cachefs@redhat.com, ecryptfs@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-security-module@vger.kernel.org, Eric Biggers , stable@vger.kernel.org Subject: [PATCH 1/7] KEYS: encrypted: fix dereference of NULL user_key_payload Date: Thu, 28 Sep 2017 14:25:56 -0700 Message-Id: <20170928212602.41744-2-ebiggers3@gmail.com> X-Mailer: git-send-email 2.14.2.822.g60be5d43e6-goog In-Reply-To: <20170928212602.41744-1-ebiggers3@gmail.com> References: <20170928212602.41744-1-ebiggers3@gmail.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers A key of type "encrypted" references a "master key" which is used to encrypt and decrypt the encrypted key's payload. However, when we accessed the master key's payload, we failed to handle the case where the master key has been revoked, which sets the payload pointer to NULL. Note that request_key() *does* skip revoked keys, but there is still a window where the key can be revoked before we acquire its semaphore. Fix it by checking for a NULL payload, treating it like a key which was already revoked at the time it was requested. This was an issue for master keys of type "user" only. Master keys can also be of type "trusted", but those cannot be revoked. Fixes: 7e70cb497850 ("keys: add new key-type encrypted") Cc: [v2.6.38+] Signed-off-by: Eric Biggers Reviewed-by: James Morris --- security/keys/encrypted-keys/encrypted.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c index f54b92868bc3..d92cbf9687c3 100644 --- a/security/keys/encrypted-keys/encrypted.c +++ b/security/keys/encrypted-keys/encrypted.c @@ -309,6 +309,13 @@ static struct key *request_user_key(const char *master_desc, const u8 **master_k down_read(&ukey->sem); upayload = user_key_payload_locked(ukey); + if (!upayload) { + /* key was revoked before we acquired its semaphore */ + up_read(&ukey->sem); + key_put(ukey); + ukey = ERR_PTR(-EKEYREVOKED); + goto error; + } *master_key = upayload->data; *master_keylen = upayload->datalen; error: