kernel-fxtec-pro1x/security/keys
Hillf Danton ca77acdf1a keys: Fix missing null pointer check in request_key_auth_describe()
[ Upstream commit d41a3effbb53b1bcea41e328d16a4d046a508381 ]

If a request_key authentication token key gets revoked, there's a window in
which request_key_auth_describe() can see it with a NULL payload - but it
makes no check for this and something like the following oops may occur:

	BUG: Kernel NULL pointer dereference at 0x00000038
	Faulting instruction address: 0xc0000000004ddf30
	Oops: Kernel access of bad area, sig: 11 [#1]
	...
	NIP [...] request_key_auth_describe+0x90/0xd0
	LR [...] request_key_auth_describe+0x54/0xd0
	Call Trace:
	[...] request_key_auth_describe+0x54/0xd0 (unreliable)
	[...] proc_keys_show+0x308/0x4c0
	[...] seq_read+0x3d0/0x540
	[...] proc_reg_read+0x90/0x110
	[...] __vfs_read+0x3c/0x70
	[...] vfs_read+0xb4/0x1b0
	[...] ksys_read+0x7c/0x130
	[...] system_call+0x5c/0x70

Fix this by checking for a NULL pointer when describing such a key.

Also make the read routine check for a NULL pointer to be on the safe side.

[DH: Modified to not take already-held rcu lock and modified to also check
 in the read routine]

Fixes: 04c567d931 ("[PATCH] Keys: Fix race between two instantiators of a key")
Reported-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-09-21 07:17:13 +02:00
..
encrypted-keys License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
big_key.c big key: get rid of stack array allocation 2018-05-11 13:07:45 -07:00
compat.c KEYS: add SP800-56A KDF support for DH 2017-04-04 22:33:38 +01:00
compat_dh.c KEYS: DH: validate __spare field 2017-07-14 11:01:38 +10:00
dh.c Revert "uapi/linux/keyctl.h: don't use C++ reserved keyword as a struct member name" 2018-09-25 13:28:58 +02:00
gc.c Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-11-25 08:37:16 -10:00
internal.h keys: Fix dependency loop between construction record and auth key 2019-03-23 20:09:48 +01:00
Kconfig security/keys: BIG_KEY requires CONFIG_CRYPTO 2017-10-18 09:12:40 +01:00
key.c KEYS: allow reaching the keys quotas exactly 2019-02-27 10:08:50 +01:00
keyctl.c keys: Fix dependency loop between construction record and auth key 2019-03-23 20:09:48 +01:00
keyring.c KEYS: always initialize keyring_index_key::desc_len 2019-02-27 10:09:00 +01:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
permission.c security: keys: Replace time_t/timespec with time64_t 2017-11-15 16:38:45 +00:00
persistent.c sched/headers: Prepare to remove <linux/cred.h> inclusion from <linux/sched.h> 2017-03-02 08:42:31 +01:00
proc.c KEYS: always initialize keyring_index_key::desc_len 2019-02-27 10:09:00 +01:00
process_keys.c keys: Fix dependency loop between construction record and auth key 2019-03-23 20:09:48 +01:00
request_key.c keys: Fix dependency loop between construction record and auth key 2019-03-23 20:09:48 +01:00
request_key_auth.c keys: Fix missing null pointer check in request_key_auth_describe() 2019-09-21 07:17:13 +02:00
sysctl.c security: Convert use of typedef ctl_table to struct ctl_table 2014-04-15 13:39:58 +10:00
trusted.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
trusted.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
user_defined.c KEYS: Fix race between updating and finding a negative key 2017-10-18 09:12:40 +01:00