From patchwork Mon Oct 9 19:37:49 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 9994143 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6AAEB60216 for ; Mon, 9 Oct 2017 19:39:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5C28728635 for ; Mon, 9 Oct 2017 19:39:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4DB7E286FD; Mon, 9 Oct 2017 19:39:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DD78728635 for ; Mon, 9 Oct 2017 19:39:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754497AbdJITje (ORCPT ); Mon, 9 Oct 2017 15:39:34 -0400 Received: from mail-pf0-f195.google.com ([209.85.192.195]:36611 "EHLO mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754293AbdJITjd (ORCPT ); Mon, 9 Oct 2017 15:39:33 -0400 Received: by mail-pf0-f195.google.com with SMTP id z11so12601974pfk.3; Mon, 09 Oct 2017 12:39:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=QgkY0vTd0YkxGXRdATTJADHY7RrDBDdW4X+TLSkxMdw=; b=jDvpnEJWcSwAqsN3gmbvlQuaZj4jAlrhYUAidXhx18geWq8WFJ3AcAg/Vb1Oez6SXU k7cuoUIDe+PK4S4Snkkb2wOywWjtOJyqxAGEVupkU/Hxco/VEc7vnNsF7+hPN0ygmUGM WYKL5HII2Kha859NdKKu8P3widyz/0owIEF6nZMCifn4MtpyYGN/hrgDi1IItmq8OZJz WRoZLo7lmlRWuRVPyZvdjLd+b934cbgheojVV6u/XQIhi9LL0CeWIGXF7AOCPYPY8mFP 7joM80U/GNP7I9+EDpIO2QxRn+if2BZsL++TrdIgsDd55sQ5DjWhas2K3x7qrkbpwa96 //oQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=QgkY0vTd0YkxGXRdATTJADHY7RrDBDdW4X+TLSkxMdw=; b=j7lsSY9Rf93guMK+z+Ofm4rYOr9ck55Ti7cdgGKqjdrSkOn3yG6+HGjwoxAZrNoD0s Zj2v+5iDGPK6vEpsu+C95dHR7jpbhiZS+XTUkHUC1Zl6YVqv+4egPb5vODbEk/967/3L JqscxJLOkxWE2w+zfmfcLLIoRhx0UtSKJLfUk3TCwxmL6oYP31m30e1AbVHx/LHOaREQ vTsmTTGyeOZAGGu2b8I9EDidF550BOFpb7gc4v/GI8FYkq/QuHnykQfXJs8AXNTdc5ry pbXeUyNpSUXvSY6oRbx7JvCN36i+4n9vlhdza5BKOIR+xfairrS6C6umw5ThzQappox+ aeOA== X-Gm-Message-State: AMCzsaVNNZ+CTnxSAWgL2wx/VKbnMv7dST8cA2rv2kKSdrrPYG9nNwZA dpgjXlTd+RqSJrslaAqp7lOro6gQ X-Google-Smtp-Source: AOwi7QDI7nzy4ls2WufvfNqJ8Z2ccL+FUYsFyyMm+uSeEQCh4NJeawmw7qSUnSWG3oBOUxnEMZ4KXw== X-Received: by 10.101.72.199 with SMTP id o7mr10297877pgs.450.1507577972171; Mon, 09 Oct 2017 12:39:32 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.174.81]) by smtp.gmail.com with ESMTPSA id v85sm16853686pfi.71.2017.10.09.12.39.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 09 Oct 2017 12:39:31 -0700 (PDT) From: Eric Biggers To: keyrings@vger.kernel.org, David Howells Cc: linux-security-module@vger.kernel.org, Eric Biggers , stable@vger.kernel.org, Mimi Zohar , David Safford Subject: [PATCH v2] KEYS: encrypted: fix dereference of NULL user_key_payload Date: Mon, 9 Oct 2017 12:37:49 -0700 Message-Id: <20171009193749.66636-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.14.2.920.gcf0c67979c-goog Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers A key of type "encrypted" references a "master key" which is used to encrypt and decrypt the encrypted key's payload. However, when we accessed the master key's payload, we failed to handle the case where the master key has been revoked, which sets the payload pointer to NULL. Note that request_key() *does* skip revoked keys, but there is still a window where the key can be revoked before we acquire its semaphore. Fix it by checking for a NULL payload, treating it like a key which was already revoked at the time it was requested. This was an issue for master keys of type "user" only. Master keys can also be of type "trusted", but those cannot be revoked. Fixes: 7e70cb497850 ("keys: add new key-type encrypted") Reviewed-by: James Morris Cc: [v2.6.38+] Cc: Mimi Zohar Cc: David Safford Signed-off-by: Eric Biggers --- Changed since v1: added Reviewed-by and resent as standalone patch. Can this please be taken through the keyrings tree? security/keys/encrypted-keys/encrypted.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c index 69855ba0d3b3..535db141f4da 100644 --- a/security/keys/encrypted-keys/encrypted.c +++ b/security/keys/encrypted-keys/encrypted.c @@ -309,6 +309,13 @@ static struct key *request_user_key(const char *master_desc, const u8 **master_k down_read(&ukey->sem); upayload = user_key_payload_locked(ukey); + if (!upayload) { + /* key was revoked before we acquired its semaphore */ + up_read(&ukey->sem); + key_put(ukey); + ukey = ERR_PTR(-EKEYREVOKED); + goto error; + } *master_key = upayload->data; *master_keylen = upayload->datalen; error: