Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / 64fa6cd92d4e8cddf82c206aae8216f59cf907e4
commit64fa6cd92d4e8cddf82c206aae8216f59cf907e4[log] [tgz]
authorEric Biggers <ebiggers@google.com>Thu Jun 08 14:48:40 2017 +0100
committerchrmhoffmann <chrmhoffmann@gmail.com>Sat Aug 04 10:48:59 2018 +0200
treef03c50f1fb2434894961991419350c5c162a7036
parent8b981795dc24ed452c7a3745ef484f4e3a845ead [diff]
KEYS: fix dereferencing NULL payload with nonzero length

commit 5649645d725c73df4302428ee4e02c869248b4c5 upstream.

sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl() allowed a
NULL payload with nonzero length to be passed to the key type's
->preparse(), ->instantiate(), and/or ->update() methods.  Various key
types including asymmetric, cifs.idmap, cifs.spnego, and pkcs7_test did
not handle this case, allowing an unprivileged user to trivially cause a
NULL pointer dereference (kernel oops) if one of these key types was
present.  Fix it by doing the copy_from_user() when 'plen' is nonzero
rather than when '_payload' is non-NULL, causing the syscall to fail
with EFAULT as expected when an invalid buffer is specified.

Change-Id: I08ea7c0c12be5baa51f45076c6e22677cd14e7d6
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
1 file changed
tree: f03c50f1fb2434894961991419350c5c162a7036
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. AndroidKernel.mk
  25. COPYING
  26. CREDITS
  27. Kbuild
  28. Kconfig
  29. MAINTAINERS
  30. Makefile
  31. README
  32. REPORTING-BUGS